Systems and methods of global identification

ABSTRACT

The invention provides one or more consortia of networks that identify and share information about users and/or user devices interacting with the consortia. User devices may be identified, at least in part, by a delta of time parameter between a user device used and a reference time. Other parameters may be analyzed to identify a computer user and/or device and noteworthy transactions. The invention may be used for identity-based applications such as network security, the detection of fraudulent transactions, identity theft, ratings-based communities and law enforcement. User may be permitted to register user devices in order to control access for performing transactions.

CROSS-REFERENCE

This application is a continuation application of U.S. application Ser.No. 16/511,618 filed on Jul. 15, 2019, entitled SYSTEMS AND METHOD OFGLOBAL IDENTIFICATION, which is a continuation application of U.S.application Ser. No. 15/971,203 filed on May 4, 2018, now U.S. Pat. No.10,395,252, issued Aug. 27, 2019, entitled SYSTEMS AND METHODS OF GLOBALIDENTIFICATION, which is a continuation application of U.S. applicationSer. No. 14/710,552 filed on May 12, 2015, now U.S. Pat. No. 9,990,631,issued Jun. 5, 2018, entitled SYSTEMS AND METHODS OF GLOBALIDENTIFICATION, which is a continuation of PCT/US2013/070146, filed onNov. 14, 2013, entitled SYSTEMS AND METHODS OF GLOBAL IDENTIFICATION,which claims priority to U.S. Provisional Patent Application Ser. No.61/726,518, filed on Nov. 14, 2012, entitled SYSTEMS AND METHODS OFGLOBAL IDENTIFICATION, where all above-cited applications are herebyincorporated herein by reference in their entireties.

FIELD OF THE INVENTION

The invention relates to network security, the detection of fraudulenttransactions and identity theft, and reputation. More particularly, theinvention relates to one or more consortia of computer networks thatidentify and share information about users and/or computing devices.

BACKGROUND OF THE INVENTION

Many methods and systems have been developed over the years to preventor detect Internet fraud. Today, to gain consumer confidence and preventrevenue loss, a website operator or merchant desires an accurate andtrustworthy way of detecting possible Internet fraud. Merely asking forthe user name, address, phone number, and e-mail address will notsuffice to detect and determine a probable fraudulent transactionbecause such information can be altered, manipulated, fraudulentlyobtained, or simply false.

Furthermore, a fraudulent user may conduct transactions with numerouswebsites or online businesses. One website merely relying on informationgathered during previous transactions with that particular website maylimit the scope of fraud prevention potential.

Accordingly, what is needed is a method and system that overcomes theproblems associated with a typical verification and fraud preventionsystem for Internet transactions by identifying each user and/or userdevice and sharing that information. Then, when a user seeks a secondfraudulent transaction, whether the transaction is with the same ordifferent website, the website operator may detect the fraud and takeappropriate action.

SUMMARY OF THE INVENTION

The invention provides systems and methods that identify users and/oruser devices connecting to a network. Information about a user or userdevice may be collected during a transaction between a user device andan online host. In some embodiments, a device identifier may be derivedfrom the collected information and assigned to a user device.Optionally, a global identifier can be derived from device informationand/or user information. This information can be used to observe userbehavior and activity, such as an account connecting from many differentdevices, or many accounts connecting from the same device. Suchinformation may help validate devices and the status of the deviceidentifier may be verified as acceptable to the online business based onthe status rules of the online business. In addition, this informationcan be used to cross-reference computing devices used by knownfraudulent accounts, and cross-reference other accounts used by specificdevices. In some cases, the online hosts may communicate with anauthentication repository, which may also include a centralized databaseof gathered information, such as device identifiers or fraud history,that can be updated and shared.

Accordingly, computing devices involved in suspicious or fraudulentactivity, or devices associated with accounts involved in suspiciousactivity can be identified. This information can be shared with otheronline hosts and networks within one or more consortia. In this way,computer devices associated with suspicious or fraudulent activity onone network may be denied access to other networks.

The invention may be applied to provide a fraud detection and preventionsystem that can significantly reduce the risk associated with Internettransactions and fraud. By sharing information about potentiallyfraudulent users or devices, and identifying user devices as well astheir association with certain online activity, the system may allowbusinesses to avoid problem customers or devices associated withfraudulent activity. The system can track device activity and userbehavior over selected periods of time, thereby identifying suspiciousactivity based on selected parameters established by online businesses.

Information shared across a consortium may include a delta of timeparameter. The delta of time parameter may be shared directly and/or maybe shared as part of a device identifier. The delta of time parametermay be calculated as a difference between a user device clock time and areference time. A reference time may include an online business serverclock time or a repository server clock time, which may be synchronizedto a time, such as Coordinated Universal Time (UTC). Information sharedacross a consortium may also include personal and non-personalidentification information, which may or may not be incorporated as partof a device identifier.

Device similarity percentages (DSPs) may be used to assist withidentifier a device. Device information sharing the same anchor andcollected over time may be compared. If the device information matcheswithin a predetermined threshold, the device identifiers formatted fromthe device information collected at the different points in time may bedetermined to belong to the same device. Device identification can beused in fraud detection and/or determining device reputation.

A registry may be provided through which a user may be able to registerthe user's devices. Access to a system or permission of transactions maybe controlled based on whether a requesting device has been registered.The device may be identified using any of the techniques described inembodiments herein in order to determine whether the device has beenregistered and/or has been involved in any suspicious behavior.

Additional aspects and advantages of the present disclosure will becomereadily apparent to those skilled in this art from the followingdetailed description, wherein only exemplary embodiments of the presentdisclosure are shown and described, simply by way of illustration of thebest mode contemplated for carrying out the present disclosure. As willbe realized, the present disclosure is capable of other and differentembodiments, and its several details are capable of modifications invarious obvious respects, all without departing from the disclosure.Accordingly, the drawings and description are to be regarded asillustrative in nature, and not as restrictive.

INCORPORATION BY REFERENCE

All publications, patents, and patent applications mentioned in thisspecification are herein incorporated by reference to the same extent asif each individual publication, patent, or patent application wasspecifically and individually indicated to be incorporated by reference.

BRIEF DESCRIPTION OF THE DRAWINGS

The features and advantages of the invention may be further explained byreference to the following detailed description and accompanyingdrawings that sets forth illustrative embodiments.

FIG. 1 is a diagram illustrating a consortium having one or more userdevices being connected to one or more online businesses that share userdevice information with an authentication repository that is part of theconsortium in accordance with the invention.

FIG. 2 is a diagram illustrating an example of an online institutionconnected to one or more user computer in accordance with the invention.

FIG. 3 shows an implementation of sharing data within a user group.

FIG. 4 illustrates an implementation of the consortium in a globalsetting.

FIG. 5A illustrates an implementation of the consortium with a referencetime.

FIG. 5B shows a table with an example of the use of the consortium witha reference time.

FIG. 6A illustrates an additional implementation of the consortium witha reference time.

FIG. 6B shows a table with an additional example of the use of theconsortium with a reference time.

FIG. 7 shows an example of how device identifiers may change over time.

FIG. 8 shows an example of how a global identifier may be formed.

FIG. 9A shows an example of information that may be tracked foridentification verification and/or fraud detection.

FIG. 9B shows another example of tracked information in accordance withan embodiment of the invention.

FIG. 10 shows an example of a tracking method in accordance with anembodiment of the invention.

FIG. 11 provides an illustration of information that may be stored andused to track a device and/or user in accordance with an embodiment ofthe invention.

FIG. 12 provides an example of a user interacting with multiple devicesin accordance with an embodiment of the invention.

DETAILED DESCRIPTION OF THE INVENTION

While preferable embodiments of the invention have been shown anddescribed herein, it will be obvious to those skilled in the art thatsuch embodiments are provided by way of example only. Numerousvariations, changes, and substitutions will now occur to those skilledin the art without departing from the invention. It should be understoodthat various alternatives to the embodiments of the invention describedherein may be employed in practicing the invention.

The invention provides systems and methods that identify users and/oruser devices connecting to a network. The invention relates to one ormore consortia of communication networks that share information aboutusers or user devices. The invention is applicable to network securityand the detection of fraudulent transactions and identity theft. It willbe appreciated, however, that the systems and methods in accordance withthe invention can have greater utility; for example, the invention mayalso be applicable to any system where a user or user deviceidentification may be relevant. One aspect of the invention is creatingassociations, tracking behavior over time, and sharing information withmultiple networks or businesses that stand to benefit from sharing thistype of information.

The invention may be applicable to any type of transaction in which itmay be desirable to identify a user or device. For example, theinvention may be used to detect fraud being carried out by one or morenetwork devices and user accounts over a communications network, or evendetecting and preventing potential fraud or identity theft byindividuals trying to complete a transaction remotely by phone or mail,or even in person. The invention may be used to build user and/or devicereputation, whether good or bad. One aspect of this system and method isto associate pieces of information about a transaction, monitor theseassociations, and share the information about these associations withother businesses within one or more consortia.

FIG. 1 is a diagram illustrating a consortium having one or more userdevices being connected to one or more online organizations or hoststhat share user device information with an authentication repositorythat is part of the consortium in accordance with one embodiment of theinvention. The one or more user devices may include user computerswhether they be a personal computer, server computer, or laptopcomputer; personal digital assistants (PDAs) such as a Palm-based deviceor Windows CE device; phones such as cellular phones; a wireless devicesuch as a wireless email device or other device capable of communicatingwireless with a computer network; or any other type of network devicethat may communicate over a network and handle electronic transactions.

A user device may have a memory and a processor. The memory may storenon-transitory computer-readable media comprising code, logic, orinstructions for executing one or more step described herein. Aprocessor may execute any of the steps described herein. A user devicemay have a user interface. For example, a display may be providedcapable of conveying information to the user. For example, a display mayshow a web browser and information relating to an interaction ortransaction between a user device and an online organization. The userdevice may be able to receive an input from a user. For example, a userdevice may have or accept input from a computer, mouse, joystick,trackball, pointer, pen, microphone, motion sensor, optical sensor,infrared sensor, capacitive sensor, pressure sensor, camera,touchscreen, or any other input device. The user may be able to enterinformation relating to a transaction via any input device. The userdevice may have a clock or other timekeeping device. The device clockmay indicate a time for the device, which may or may not correspond toan objective time for a location of the device. The device clock may ormay not be synchronized with other clocks. The device may have anInternet Protocol (IP) address.

The online organizations connected to the one or more user devices maybe any sort of host, such as an electronic commerce business, an onlinemerchant, a financial institution, or any other type of website serviceprovider that may provide a service to a user or may interact with auser device. An online organization and a user device may perform anelectronic transaction, such as a purchase of a product or service, suchas online banking. In accordance with one aspect of the invention, eachelectronic transaction may be susceptible to fraud and each user deviceor user can be identified to reduce the risk of fraud. In someinstances, a user device reputation or trust score may be monitored, andless processing or fewer security checks may be required for a userdevice with a good reputation than a user device with a bad reputation.

The connection between a user device and an online organization may be,for example, a connection between a client computer and a website serverover a network. One or more servers may communicate with one or moreclient computers across a network. The network, for example, can includea private network, such as a LAN, or interconnections to the onlineorganizations over a communications network, such as the Internet orWorld Wide Web or any other network that is capable of communicatingdigital data, such as a wireless or cellular network. Each user devicemay connect to any online organization over the network using dataprotocols, such as HTTP, HTTPS and the like.

When a user device is communicating with the consortium, the devicememory may store an operating system (OS) and a browser application. Forexample, the operating system may operate to display a graphical userinterface to the user and permit the user to execute other computerprograms, such as the browser application. The browser application, suchas Microsoft Internet Explorer, when executed by the processor, permitsthe user to access the World Wide Web as is well known. The user devicemay interact with an online organization that is part of the consortium,which may perform some fraud prevention and detection functions and maygenerate a device identifier derived from information gathered about theuser and/or user device in accordance with the invention. The onlineorganization and/or consortium may generate a device identifier, analyzea device identifier, generate a global identifier, and/or analyze aglobal identifier. Any description herein of device identifiers may alsobe applied to global identifiers and vice versa.

In some embodiments, an online organization may have one or moreweb-based server computers, such as a web server, an application server,a database server, etc., that are capable of communicating with a userdevice over a network, such as the Internet or a wireless network, andare capable of downloading web pages to the user device. In someimplementations, the online organization may comprise one or moreprocessors, one or more persistent storage devices and a memory. For theonline organization to interact with the user devices, the memory maystore (and the processor(s) may execute) a server operating system and atransaction processing software system to facilitate an electronictransaction between the online organization and one or more userdevices. For example, memory may store non-transitory computer readablemedia comprising code, logic or instructions for performing one or morestep. One or more programmable processor may be capable of executing thesteps. Each online organization may further comprise a database, such asa database server or a data structure stored in the memory of the onlineorganization, that stores the electronic transaction data for the onlineorganization. In some embodiments, a server for an online organizationmay have greater computing or processing power than a user device.Similarly, the server may have more memory than a user device.

The online organization may control each device and/or each user'saccess to the resources of the online organization by, for example,denying access to a user or device in particular circumstances. Forexample, if a user device has been implicated in fraud, an onlineorganization may prevent a transaction with the user device fromoccurring. In another example, if a user has a ‘bad’ or ‘low’ rating, anonline organization may prevent the user from participating in anelectronic sales forum, or may require further security checks oridentity verification. In another example, if a user has a ‘good’ or‘high’ rating, an online organization may permit the user to participatein the electronic sales forum, perform fewer checks on the user, and/orprovide rewards, discounts, or privileges. A user's rating or reputationmay be calculated as a score (e.g., numerical value, letter grade, etc.)as described elsewhere herein.

In a preferable embodiment of the invention, the online organizationsmay be connected to an authentication repository. The authenticationrepository or fraud detection monitor that is part of a fraud detectionconsortium may be connected to the online organizations over a network.If the central repository is connected to the network, then the databetween the online organizations and the authentication repository maybe encrypted or may travel over a virtual private network to ensureprivacy and security.

Thus, the authentication repository may receive user and/or user deviceinformation from each online organization, which may collect user oruser device information from each user device during an onlinetransaction. The repository may store some or all of the informationreceived. The repository may store information received in a memory ofthe repository. In some instances, one or more databases may be providedfor a repository. In some embodiments, a distributed or cloud computingenvironment may be used to store information. The repository may have aprocessor capable of performing one or more step. The processor may beused to generate a device identifier and/or access information stored inrecords. The processor may be used to normalize information or putinformation into a desired format.

In some implementations, the authentication repository may generate adevice identifier that identifies each user device. In some cases, thedevice identifiers may be unique identifiers for each user device. Inother cases, the device identifiers may not be unique for each userdevice, but may be derived from information gathered about a user and/oruser device which may or may not be duplicative in another user device.The device identifiers may be static, or may change for a device overtime. In some cases, a device identifier may function as a “fingerprint”of a user device, and include various parameters derived from gatheredinformation about a user and/or user device to be discussed in greaterdetail below. In some instances, one or more of the various parametersfor a device may change over time or transactions, and the deviceidentifier may incorporate such changes. In some implementations, theauthentication repository may generate a global identifier, which mayincorporate the device identifier. The global identifier may have one ormore of the characteristics of the device identifier. Any description ofidentification information may also include the device identifier and/orglobal identifier.

Using the identification information in accordance with the invention,the authentication repository may be able to detect fraudulentactivities across the consortium. In particular, the authenticationrepository may provide a centralized service utilizing this invention toidentify user devices, store user and device information, track end-userlogins, associate an end-user account with one or more specific devices,associate a device with one or more end-user accounts, associate adevice or end-user with fraudulent activity, and share this informationwith each online organization of the consortium. The authenticationrepository may include a centralized database.

Any action taken within a fraud detection consortium may be directed bycomputer readable media, code, instructions, or logic thereof. These maybe stored in a memory, such as the memory of an authenticationrepository or the memory for an online organization.

In one example, a user computer, such as A1, may request access to thefraud detection consortium and a particular online business, such as A.To gain access to A, complete a transaction, or access a particular partof the network, a user may connect through a user device, which in thiscase may be user computer A1. The online business A may receive userand/or user information from the user computer and may then pass theinformation to the authentication repository. The online business may ormay not store the information gathered through the user device that ispassed onto the authentication repository.

In some implementations, the authentication repository may generate acomputer identifier which may be derived from the information gathered.The authentication repository may generate a global identifier which maybe derived from the information gathered. The global identifier mayincorporate the computer identifier. Any description of the computeridentifier may also pertain to the global identifier and vice versa. Inother implementations, a computer identifier may be generated atdifferent stages. For example, an online business A may gatherinformation from A1 and may generate a computer identifier for A1, andmay pass the computer identifier to the authentication repository. Theonline business A may only pass the computer identifier, may only passthe global identifier, may only pass gathered information, or may pass acombination of any of the three to the authentication repository.

Information or data, such as a computer identifier, global identifier,anchor, raw data, data used to make up the computer identifier or theglobal identifier, or any combination thereof may be stored in “pairs,”or may be “linked” or “associated.” Any type of data may be coupled withthe same or different type of data when stored in memory. The paireddata may be linked within memory where they are stored, or may have someother mechanism that associates them with one another. In one example,an email address and a computer identifier may be stored as a pair. Theemail address and computer identifier may be stored in memory together,as a unit of data. An anchor may include one or more items of userinformation. An anchor and a computer identifier may be stored as apair. An anchor may be stored with multiple iterations of the computeridentifier collected over time. Alternatively, they need not be storedtogether but may include pointers that associate them with one another.Although the term “pair” may be used, any number of data items may belinked in memory. For example, two, three, four, five, six, seven,eight, ten, twelve, fifteen, twenty, thirty, forty, fifty, eighty, onehundred, two hundred, or more items may be linked in memory. Asdiscussed in greater detail below, any of these linked sets of data maybe shared together. In some instances, an anchor may include informationthat may be used to access the data item pairs. For instances, anchormay remain the same for multiple iterations of the computer identifiercollected at different points in time and associate with the anchor. Theanchor may serve as an index, baseline, or reference point to find therelated pairs of information. The system and method may search ororganize records by the anchor in order to find information aboutrelated pairs of information.

In one embodiment, the authentication repository may store some or allof the information. For example, the authentication repository may storeall of the information gathered by online business A, B, C, D, and anyother businesses in the consortium. Online businesses A, B, C, and D mayor may not also store the information that is stored by theauthentication repository. The authentication repository may share someor all of the information gathered or generated, such as globalidentifiers, computer identifiers or detected fraud information, withthe online businesses of the consortium.

In an alternate embodiment, the fraud detection monitor or repositorymay facilitate transfer of information between one or more onlinebusiness without actually storing the gathered information. For example,information gathered by online business A may be stored on A's server,and information gathered by online business B may be stored on B'sserver. The fraud detection monitor may enable transfer of informationfrom A to B, C, D, and any other businesses and so forth for the otheronline businesses. The fraud detection monitor may also processinformation, with or without storing it on a fraud detection monitorserver, such as generating global identifiers or computer identifiers,or detecting fraud from information gathered from one or more onlinebusiness, and may share this information with the online businesses ofthe consortium. The fraud detection monitor may detect fraud by crossreferencing the gathered information and tracking user and devicebehavior over time. In some cases, the fraud detection monitor may onlystore processed information, such as global identifiers, computeridentifiers, fraud indicators, or reputation scores.

In some embodiments, each online business may represent differentprivate network environments operated by independent organizations thatdo not share end-user identities. The data storage system, such as a setof databases, used by each online business may be remotely located atthe authentication repository and can be a service provided by a thirdparty. Alternatively, online businesses may communicate via a network,such as the Internet, such that end-user identifiers may be shared.

Another example provides fraud detection and information processingapplications distributed across a plurality of computing devices (withno central authentication repository and database). The computingdevices may be the online businesses' devices, the user devices, or acombination of the user devices and online businesses, such that eachmay perform part of the functions of the fraud detection and preventionsystem in accordance with the invention. For instance, the variousonline businesses may share information with one another in a peer topeer manner, and may collectively detect fraud. In one case, onlinebusiness A may detect an at-risk user device and share this informationwith online businesses B, C, D, and so forth. Online businesses A, B, C,and D may share information in a peer to peer manner such that they allhave access to certain information.

Those skilled in the art will appreciate that the fraud detectionconsortium may be implemented in various different manners that arewithin the scope of this invention, such that previous discussions areprovided by way of example only and are not limiting.

One aspect of the invention provides for multiple consortia that mayinteract with one another and share information. For example, anauthentication repository may communicate with another authenticationrepository. In some embodiments, information gathered from an onlinebusiness may be shared between one or more authentication repositories,which may subsequently share the information with the other onlinebusinesses that they are connected to. In some implementations, theinformation shared between a first repository and second repository maybe stored by both the first and second repositories before beingdistributed to connected online businesses. Alternatively, a repositorymay merely pass on information it receives from another repository. Theinformation may be stored or shared in various ways that are known inthe art.

For instance, any information stored by an authentication repository maybe stored in one or more database of the authentication repository. Inone example, the database may have a database table containing pertinentinformation. However, the data may be stored in different databases andmay include different database data structures that are within the scopeof this invention. In this example, a database table may include a hostcolumn, a unique user-account name, and a user device identifier columnthat may permit the fraud detection system to associate a particularhost (or online business) with a particular user and a particular userdevice. As described above, the user-account name may represent end-useraccounts that are unique to each host. The user device identifiers mayrepresent user devices that have connected to at least one host. Theindividual rows in the database table may represent unique combinationsof host, user-account names and user device identifiers. The databasetable may enable the same user connecting to a different online businesswith the same user device to be tracked and registered in theconsortium. A great deal of additional information may be maintainedsuch as last successful login date and time, last unsuccessful logindate and time, total successful logins, total unsuccessful logins, etc.as well as any relevant personal and non-personal information, to bediscussed in greater detail below. Additional information may be storedin memory, such as information pertaining to global identifiers and/orchanges in device identifiers. Such information may be discussed ingreater detail below.

As previously discussed, information may be stored in “pairs,” which mayrefer to any number of data items that may be somehow linked orconnected together. A database table, as mentioned previously, may be animplementation of storing data in pairs. In a consortia or multipleconsortia, such information may also be shared in “pairs.” For example,a particular host may always link together a credit card number andemail address. Such information may be stored and shared as a pair. Insome embodiments, each host may have uniform pairs of data that may beshared. For instance, all of the hosts within an online consortium maystore together a credit card number and an email address. Similarly, anytime a credit card number is shared or tracked across a consortium, anemail address may also be shared and tracked with the correspondingcredit card number. In another embodiment of the invention, differenthosts may have different pairs of data that are shared (e.g., one hostmay always pair an email address with a username, and another host mayalways pair an email address with a delta of time parameter). Any of thedata items or types, including global identifiers, anchors, computeridentifiers, delta of time parameters, trust scores, or other itemsdiscussed herein, may be paired.

When data is stored and tracked as a pair, fraud detection andvalidation may be improved. For example, if a pair of identifying datais stored, and then the same pair appears again, the device orindividual can be identified with greater certainty as the same deviceor individual. Thus, consortia members may be able to share pairs ofinformation to track a device or user.

Based on gathered information, and any information generated byprocessing the gathered information, such as a global identifier orcomputer identifier, to be described in more detail, the likelihood offraud being committed by a particular user with the user computer A1 maybe determined and an appropriate action can be taken. Assuming the usercomputer A1 is granted access to the network, the user computer performsits electronic transaction. If a fraudulent activity occurs during thatelectronic transaction, that information may also be conveyed to theauthentication repository and may be stored by the authenticationrepository. Alternatively, if fraudulent activity occurs, theinformation may be conveyed to the other online businesses. In thismanner, the one or more online businesses may share fraud informationbetween each other selectively so that a fraud committed against oneonline business, i.e. online business A, can be logged into and trackedby the authentication repository in accordance with the invention.Alternatively, information about fraudulent activity can be tracked bythe consortium of online businesses without analysis by anauthentication repository. Thus, a user or user computer that hascommitted fraudulent activities can be tracked even when the user oruser device logs into a different online business, i.e. online businessB. Therefore, the fraudulent activities of a user or user computer canbe tracked across the consortium.

Some implementations of using an authentication repository in aconsortium may involve repositories capable of handling various tasks.An authentication repository may be one or more stand-alone computingresource, such as a server computer, with a database or storage system,although the functions of the authentication repository and theinformation storage may be distributed in any number of ways, such as inexamples described previously. The authentication repository may includeone or more processors, one or more persistent storage devices and amemory. The authentication repository may further include a databaseserver/manager that may store the data in accordance with the invention.The structure and operation of the processor, persistent storage deviceand memory may be any computing device structure as known in the art.The memory may store a server operating system, and one or moreadministrator module that are executed by the processor to implement thefraud detection and prevention.

An administrator module may permit an administrator to interact with anonline business. For example, an administrator may determine thethreshold for enabling a user to interact with the online business ifthe user may be at risk for fraud. An administrator may also configureitems of the system, adjust query items and update items. Anadministrator module may also process the data stored or received by therepository, such as to generate a device identifier or globalidentifier. An administrator module may enable an administrator togenerate a query of, given a particular user device, what users haveused that network device or a query that asks, given a particular user,what network devices have been used by the particular user. Theadministrator may also configure a query that asks, given a particularuser device, what other online businesses set this network device toassociate users/computers a predetermined number of levels deep or givena particular user, what is that user's current status in the system. Anadministrator module may perform additional administrative functionssuch as generating reports from the fraud detection and preventionsystem and its database.

In some embodiments, hosts, such as online organizations or businesses,may be able to individually control their interactions with userdevices. For example, hosts may set up any number of device and userstatus levels, and establish any number of behavior patterns, each ofwhich might require a different action, such as notify a particularemail address, page a particular number, deny access to the network,allow access but change the status of the device, etc. In some cases,each host can establish its own customized rules for every aspect of thepresent validation method. Because of this, the same circumstances thatresult in denied access for an end-user for one host may not result indenied access for another host.

Alternatively, an authentication repository may control a host'sinteraction with a user device. For example, an authenticationrepository may determine whether a user device is at risk for fraud andmay deny the user device access to the consortium. In some cases, theauthentication repository's determination for fraud risk may be uniformfor all hosts.

Identifying information may be used for other applications in additionto fraud detection and prevention or network security. For example,gathered information may relate to a user rating, which may or may notrelate to fraud. Such information can be shared across one or moreonline businesses in a consortium, to track the user or user computeracross the consortium. In another example, gathered identity informationmay have applications in national security and law enforcement.

The information gathered in accordance with the invention may becustomized for different user device types. For example, with a personalcomputer that connects to an online business, the information gatheredmay include an IP address or browser ID and additional personal ornon-personal information to identify the user device. With a cellularphone, it is typically possible to extract data from the cellular phone,such as its serial number, so that only non-personal information may beused to identify the cellular phone network device. For a PDA userdevice, it may be typically possible to put data/information onto thePDA only so that the certain parameters only may be used to identify thePDA. Thus, depending on the user device, different information may begathered. In accordance with the invention, information may also begathered from a hardware device, such as a smart card or PCMCIA card,which may have its own unique identifier that may be used to uniquelyidentify the card. Thus, information gathering in accordance with theinvention may be implemented in a variety of different manners.

A user device's information, which may include risk for fraudulentactivity or reputation information, may be shared with various hosts atvarious times or manners. In some instances a user's information and/ora combination of the user's information and user device information maybe shared. For example, transaction information may be shared with allhosts whenever a transaction occurs. In another example, transactioninformation may be shared with all the hosts at particular times, i.e.updating each host every ten minutes, or whatever time an individualhost may wish to be updated. Alternatively, transaction information maybe provided to a host upon request by the host. For instance, if theinformation is stored with an authentication repository, a host maychoose to automatically update and access repository informationwhenever a transaction occurs between the host and a user device. Insome cases, individual hosts may be able to determine when or how theyreceive or send shared information. In other cases, information sharingmay be uniform across a consortium.

For any of the systems and methods described herein, a consortium mayoperate taglessly. One or more consortia may be tagless when they do notrequire a program to be downloaded to a user device. For example, anonline host and/or authentication repository may collect informationabout a user or user device without the use of cookies, text parcels, orprograms sent from a server to a client computer. A fraud detectionconsortium may be able to detect fraud without downloading a frauddetection program to a user device. Rather, a consortium may operatetaglessly by collecting information from a user device without requiringa user device to download additional applications from any of the hostsor repositories of the consortium. For example, instead of “pushing” anapplication or tag onto a user device, a consortium may enable data tobe “pulled” or extracted from the user device.

FIG. 2 is a diagram illustrating an example of an online institutionconnected to one or more user computers or devices in accordance with anembodiment of the invention. An online institution may gatherinformation from a user computer. As discussed previously, theinformation may be gathered during an online transaction and may be usedto identify a user and/or user device. In accordance with the invention,the consortium may utilize a user or device identifier or combinationthereof, or any other data that may be used to identify a user or deviceor combination thereof. In some embodiments, a user may be identifiedbased on a number of parameters. The parameters from the gatheredinformation include a delta of time parameter, to be discussed furtherbelow. Other information or parameters may also be used to assist inidentifying a user and/or user device. In some situations, it may beimpossible to extract data from a user device so that only a generateddevice name can be used to identify the user device.

A delta of time parameter may be determined from information gatheredduring a transaction between a user device and an online institution.Such information may include a local time for a user device according toa clock of the user device. A local time may include a date, hour,minute, second, millisecond, or any other denomination of time. In oneexample, the clock of the user device may be a resident computer clock.In another example, a clock may be an external clock that determines thetime of a user device. A user device may have one or more clock fordetermining a time of the user device. Information from one or moreclocks may be collected. Such information collected may also includerelevant time zone information, which may include information aboutDaylight Savings Time.

Other information may be gathered during a transaction between a userdevice and an online institution. For instance, upon making aconnection, an online website receives some non-personal identificationinformation from the customer device. In preferable embodiments, anonline website may receive some non-personal information taglessly. Thisnon-personal information typically includes Common Gateway Interface(CGI) parameters such as the customer's Internet Protocol (IP) Addressand the computer's Browser ID. While “hackers” can change, disguise,and/or emulate the IP address to mask a fraudulent transaction, most donot now have the capability nor the idea to do the same for the BrowserID. While some “hackers” can change the Browser ID, it is not a trivialtool and if one needs to change it all the time it is not allowing thosethieves to easily steal, hence, they are likely to go to a site thatdoes not check Browser IDs. In some instances, some or all of thenon-personal information may be used as part of a global identifier.

In a typical embodiment, when a customer decides to purchase services,goods, or information from a website, the customer inputs additional,and more personal, identification information. This personalidentification information may commonly include the customer's name,address, billing and shipping information, phone number, and/or e-mailaddress. Any other personal information, such as a customer's driver'slicense number, social security number, a personal identificationnumber, retail purchase location, or any other information that may becaptured as part of an online transaction could be used to identify andminimize transaction fraud and identity theft. In some instances, someor all of the collected personal information may be used as part of aglobal identifier.

A website server can capture the local time of the customer's computer,typically through a program such as JavaScript, as well as a referencetime. In preferable embodiments, the local customer computer time may becaptured taglessly. The website may capture customer computer time usinga script that may extract information from the customer computer,without pushing anything onto the customer computer. The script may be aserver side script. The script may extract information by querying thecustomer computer. The script may be a time capture script from thewebsite server for execution by the customer computer. The time capturescript may instruct the browser of the customer computer to obtainselected information about the customer computer during an onlineconnection, including a local time according to a clock of the customercomputer, a non-personal identification parameter, and/or a personalidentification parameter. The customer computer may accordingly provideselected information in response to the queries. The selectedinformation collected by the time capture script, such as the local timeof a customer computer clock may be returned to the website server inaccordance with the time capture script. Thus, a clientless capture ofinformation may be implemented by the server.

Typically the reference time may be the time of the server's computer.The time of a server's computer may include the local server time andany relevant time zone information, or the server may be synchronized toa set time, such as Coordinated Universal Time (UTC). The reference timemay also be an authentication repository server time. This may be thelocal time for the authentication repository, or the repository time maybe synchronized with a set time, such as UTC time. More details aboutcapturing time to calculate a delta of time parameter will follow.

The server then calculates the time difference (or delta of time)between the customer's computer clock and the reference time, such as aserver's computer clock. At the server, a delta of time parameter may becalculated based on a difference in time between the reference time(e.g., local server time, UTC time) and the local time of the customercomputer clock received from the customer computer. This can be recordedin any desired format such as hours, minutes, seconds, or the like, butcorresponds to a delta of time parameter. The delta of time parameter,the non-personal information, including but not limited to the preferredusage of the Browser ID, and/or the personal information are stored bythe merchant and used to identify the customer and/or customer computer.

In accordance with one embodiment of the invention, the relativecustomer computer local time according to its resident clock may becaptured, typically through a program such as JavaScript or any othertime indicator employed by telecommunications and networking systemssuch as timestamps within transmitted data packets (e.g., TCP timestampsin packets within a data stream wherein each packet includes a headerportion containing a 32-bit timestamp generated by a originatingcomputer according to local resident time). The local time of a customercomputer or client may be captured during any selected moment of actionsuch as when the customer visits or is logging into a merchant site, atthe time of a purchase or at times during an exchange of informationthat can be reflected in timestamp to data packets transmitted across aselected network or the Internet. Similarly, the time can be captured atmultiple times during an online transaction.

In some embodiments, a merchant web server may also maintain and measurea relative website server time according to a server clock. The timedifference or delta of time as between the customer computer clock andthe server's computer clock can be therefore calculated. This approachin determining when to measure a time of action or event may becharacterized as opportunistic in that measurements are taken atselected moments in time. The delta of time can be measured, calculatedand recorded by the merchant web server or any other computer operatingwith or connected to the merchant online system, such as anauthentication repository. The delta of time may be measured in anydesired format or increments of time such as days, hours, minutes,seconds, milliseconds (microseconds) or the like. Over different periodsof time, the delta of time parameters are generally persistent withrelatively high degree of accuracy. Accordingly, the measured timedifference between these computer clocks provides a parameter inaccordance with this aspect of the invention that may link or associatea particular customer computer with transactions. The association of thecustomer computer with a transaction may help prevent fraud when aparticular transaction may involve fraud.

The delta of time (Time Diff) parameter provided in accordance with thisaspect of the invention may function alone or combined with otherparameters to provide what may be characterized as a “PC fingerprint.”Such devices include personal computers or any other type of computingdevices or computers (hereinafter collectively PC). Each PC connected tothe Internet may be configured slightly differently and may possessidentifiable characteristics distinguishing it from other devices whichcan be exploited by the invention. A more accurate PC fingerprint may begenerally developed by considering a greater number of availablecomputer related parameters. Such computer related parameters may remainthe same or may vary over time. Thus, a PC fingerprint may remainstatic, or may dynamically change over time. The Time Diff parameter mayserve as part of a PC fingerprint for identifying a device which servesas a distinctive mark or characteristic about a particular user device.In addition to a Time Diff parameter, the flow of information exchangedduring an Internet session may be captured and provide significantinformation about the user PC on the other end. This type of informationexchange considered by the invention is preferably invisible and/ortransparent to users, and does not rely on user action or modificationof online behavior.

The Time Diff parameter may thus link incidents involving fraud,hacking, phishing etc. by automatically correlating information such aslogin data, computer data and customer data. For example, by analyzingdata sent from the user device, information about the device and browserused by an individual may be obtained such as a Browser ID, theBrowser/device IP address and the particular Browser language. Byformulating a more accurate PC fingerprint or global identifier, thereis less likelihood of mistakenly associating a user with a fraudulenttransaction (false positive) during e-commerce transactions, or failingto detect a fraudster. Other applications of the invention includenational security and law enforcement whereby a computer can be uniquelyidentified in a manner similar to way thieves can be identified by aphysical fingerprint. Accordingly, a PC fingerprint or global identifierprovided by the invention enables the ability to link and connectdifferent online accounts and activity to a same device.

A global identifier provided in accordance with an embodiment of theinvention may be captured during selected moments of action during anInternet session, such as the login step or procedure. The globalidentifier may be generated at a single time or multiple times during anonline transaction. Flags may be raised if the global identifier changesin a particular way during an online transaction. The global identifiermay or may not incorporate a Time Diff parameter. The global identifiermay be analyzed in conjunction with a Time Diff parameter.

The Time Diff parameter provided in accordance with the invention may becaptured or measured during various selected moments of action during anInternet session such as the login step or procedure. This may includemeasuring the Time Diff parameter at multiple times during an onlinetransaction, which may raise flags if the Time Diff parameter changesnoticeably during an online transaction. Many e-commerce merchants,financial institutions, and Internet Service Providers (ISPs) manageaccounts and user logins on an enormous scale. This aspect of theinvention can be applied to broader applications online to authenticatea user or uniquely identify a computer on the Internet in addition toe-commerce transactions and fighting fraud or identify theft. Forexample, the invention may be applied where a merchant or financialinstitution (FI) server resides in California, USA and a valid customer(Customer) who also normally resides in California, USA. It shall beunderstood that the following examples below describe login procedureswhich could be modified according to the invention for any otherselected moment of action during an Internet session such as logoutprocedures, when a user clicks a “submit” button within a userinterface, or transmission of any other information between usersonline.

During a “valid” login procedure, the Customer may initiate a loginprocedure from a web browser on a computer that registers a timeaccording to its clock as follows: Time=11:00 am/Time Zone: UTC −8 andan IP address from the California region. Meanwhile, from theperspective of the FI, the recorded time at the FI server according toits respective clock may be: Time=11:01 am/Time Zone: UTC −8 and an IPaddress from the California region. It shall be understood that theinvention may incorporate IP address locator tools which determine anidentifier for an online device and its location based on geographicregions within a country or around the world. Upon analysis of thisinformation from the Customer that may be reflected on a conceptual oractual Score Card, which can be calculated and stored in memory withinthe server of the FI or any its other network computers, the FI candetermine whether there is a match indicating a valid user login.Accordingly, the exchange of information in the above described examplemay be reflected as a match on or as a Score Card that measures thevalidity of the customer: Time Diff=Match/Time Zone=Match/IP=Match.

During a “suspect” login procedure, a Customer may initiate a loginprocedure from a web browser on a computer that registers a timeaccording to its clock as follows: Time=10:02 pm/Time Zone: UTC +3 andan IP address from a region in Russia. Meanwhile, from the perspectiveof an FI, the recorded time at the FI server according to its respectiveclock may be: Time=11:01 am/Time Zone: UTC −8 and an IP address againfrom its California region. Upon analysis of this information from theCustomer in accordance with the invention, the Time Diff and Time Zonemeasurements as between the Customer and the FI are different from priorvalid logins and therefore not a match. Furthermore, the IP addressreceived by the FI indicating a device outside of the California regionwould not be a match and further suggest an invalid login attempt by afraudster or other unauthorized individual. The Score Card for thislogin example measuring the validity of the customer can thus show: TimeDiff=No Match/Time Zone=No Match/IP=No Match. The FI would be thusalerted that the alleged Customer attempting to login was likelyinvalid.

During a “valid” login procedure from a Customer traveling with acomputer and browser in London, the Customer may initiate a loginprocedure at a registered time according to its clock as follows:Time=11:00 pm/Time Zone: UTC −8 and an IP address from a region aroundLondon. Meanwhile, from the perspective of an FI, the recorded time atthe FI server according to its respective clock may be: Time=11:01am/Time Zone: UTC −8 and an IP address again from its California region.Upon analysis of this information from the Customer, the Time Diff andTime Zone measurements as between the Customer and the FI are the sameas prior valid logins and therefore a match. While the IP addressreceived by the FI indicating a device outside of the California regionwould not be a match and suggest an invalid login attempt, thecomparison of the Time Diff and the Time Zone measurements would be amatch. Because the Time Diff parameter provided in accordance with theinvention can be used in combination with other fraud parameters forauthentication and identification, a Score Card for this login examplemeasuring the validity of the customer could still show a matchnevertheless: Time Diff=Match/Time Zone=Match/IP=No Match.

The Time Diff parameter provides fraud detection tools for onlinemerchants, financial institutions and other parties providing serviceson the Web. These tools can be applied to combat well recognizedproblems such as reducing the number of false positives which reducepossible revenue from mistakenly identified valid users. In addition,Time Diff based tools provide an effective solution to identifying andpreventing fraud during the course of international and overseastransactions where there are significantly increased risks of fraudulentactivity. Accordingly, the Time Diff parameters herein allow thecreation of a more accurate and relevant geo-location or PC fingerprintfor many different types of online transactions around the world.

It shall be understood that the Time Diff parameters provided inaccordance in this aspect of the invention may be defined as thedifference in the registered computer times as measured in any unit oftime (e.g., days, hours, minutes, seconds, milliseconds, microseconds)between any selected computers either alone, or in combination with theTime Zone herein or any other temporal characteristics. Furthermore, aswith other embodiments described herein, the concepts of the inventioncan be preferably applied to e-commerce transactions to deter oridentify fraud but is not limited thereto and are equally applicable toany other online application to uniquely identify and link a computerdevice on the Internet according to a Time Diff parameter. Whileconsideration of Time Diff parameters alone may not be completelyeffective as with any solution against fraud, phishing etc., the globalidentification and/or PC fingerprinting methods and techniques providedherein enables effective link analysis between computer devices andcompromised accounts or any other transaction having or associated witha fraudulent past or history. By following and learning from historicalincidents of security breaches and fraud, the invention can quicklypinpoint repeat offenders and build a stronger defense against differentcriminal behavior or schemes now known and those that will be developedin the future. The global identification and/or PC fingerprintingmethods may also permit the building of reputations for users and/ordevices. The historical information may be gathered and associated toincrease, decrease, or maintain a reputation/trust rating. It may beuseful to know whether the user and/or device has a high or lowreputation rating to expedite transactions, provide incentives oroffers, assess likelihood of fraud, and/or prevent attacks.

A global identifier may be generated for use in detecting fraud relatedto online commercial transactions or other commercial transactions. Theglobal identifier may include or be generated based on a deviceidentifier. Further descriptions relating to the global identifier areprovided elsewhere herein.

In accordance with some embodiments of the invention, a deviceidentifier, such as a customer computer identifier may be generated foruse in detecting fraud in connection with online commercialtransactions. The customer computer identifier may be used to identifyany user device. For instance, a merchant web server may receivecustomer personal information, such as name, address, phone number, etc.A web server may also receive non-personal information from the customersuch as IP address and Browser ID. The web server may capture the localtime and the time zone at the customer computer. The delta of timeparameter may be calculated at one or more times during the transaction.It should be noted that the delta of time parameter may be calculated atthe time of the customer login, other times during a transaction or atany selected moment of action. Using the customer information and thedelta of time parameters, the customer computer identifier isdetermined. In some examples, a customer computer identifier may includeall the data collected as fields, may be a hash of the data, acombination thereof, or any form of data derived from the collecteddata. In some instances, a global identifier may include a customercomputer identifier or be generated based on multiple customer computeridentifiers over time. The global identifier may optionally include ananchor. Any one or more of these steps may be used in combination witheach other and in a different order of operation depending on selectedapplications. It should be further understood that processes inaccordance with this embodiment of the invention may provide a delta oftime parameter and a computer identifier and/or a global identifierdescribed elsewhere herein and also used together with other aspects ofthe invention.

In another preferable embodiment of the invention, a particular subsetof selected parameters or fields can combined or aggregated to constructa customer computer identifier. For example, the customer computeridentifier can be determined based on selected customer personalinformation, customer non-personal information, including a Browser IDand a delta of time parameter. These selected parameters are not meantto be limiting and other information or fraud parameters describedherein or otherwise known to those of ordinary skill may be used tocreate a customer computer identifier. Specifically, another preferableembodiment of the invention includes a customer computer identifierconsisting of a delta of time parameter plus a Browser ID alone whichcan be used to identify or “fingerprint” a user computer. The delta oftime parameters provided in accordance with this and other aspects ofthe invention herein offer fingerprinting capabilities that uniquelyidentify particular computing devices used in online transactions.Because computer users rarely personally change the internal clockswithin their computers, the delta of time parameter will likely be thesame (or within a range or within predictable limits) for a computerevery time that computer is used to conduct an online transaction withthe same merchant even if the user disguises or changes the IP address.The Browser ID is also not likely to be changed, even by a consumerseeking to perpetuate a fraudulent transaction. Thus, the delta of timeparameter (the difference between the time of day of the computer user'sclock and a reference time) is an important component of the computeridentifier because it, along with the preferred Browser ID or otherpersonal or non-personal information, is a good indication of theidentity of a subsequent user on the same computer. The delta of timeparameter also allows the merchant to potentially locate the computer interms of a time zone, region, or country.

An online organization or merchant may include, remove, and weigh eachparameter within the computer identifier. For example, the merchant maychoose to only use the delta of time parameter and Browser ID to formthe unique computer identifier. Accordingly, the merchant may set amatching parameter to fit a level of comparison between a first andsubsequent transaction. For example, since deltas of time may slightlychange because of the differences in accuracy between the server and theuser computer clock mechanism, computer clocks and deltas may slightlyvary over time. The merchant may set the matching parameter to include arange of delta of time, such as a few minutes, instead of an exactmatch. This way, even if the user computer “loses time,” the matchingparameter can still identify the subsequent transaction as a potentialfraudulent one based on other information within the computeridentifier.

FIG. 7 shows an example of how device identifiers may change over time.For example one or more device identifiers may be generated for the samedevice. In some instances, the device identifiers may be generatedduring each online transaction using the device. A single deviceidentifier or multiple device identifiers may be generated during anonline transaction. The device identifiers that have been identified asbelonging to the same device may be stored in memory. For example, for aparticular device, DID1, DID2, DID3, DID4, DID5, DID6, and any otherdevice identifiers identified as belonging to the same device may bestored in memory and/or accessible. The information relating to aparticular device may be aggregated. Thus, a device identifier may havelongevity. The change of a device identifier and/or rate of change of adevice identifier over time may be tracked.

The device identifiers may or may not change over time. In someinstances, one or more parameters making up a device identifier maychange. In some instances, a certain degree or magnitude or change maybe expected for one or more parameters, if they belong to the samedevice. Change may be assessed based on which parameters changed. Also,the degree or magnitude or the types of changes may be analyzed. In someinstances, overall change of the device identifiers may be monitored.The change of specific parameters used to formulate the deviceidentifiers may be monitored.

In some instances, one or more device similarity percent (DSP) may becalculated. In one example, a device similarity percent (e.g., DSP A)may be calculated between a first device identifier and a second deviceidentifier (e.g., DID1, DID2). The DSP may be calculated based onnumerical or value differences between one or more parameters involvedin the formulation of the device identifier. In some instances,weighting of the one or more parameters may be involved in calculatingthe DSP. One or more qualitative aspect may be taken into considerationwhen calculating the DSP. In some instances, if the DSP exceeds apredetermined threshold, the device identifiers may be determined tobelong to the same device. The predetermined threshold may have anyvalue (e.g., numerical percent value, such as 60%, 70%, 80%, 90%, 95%,or 99%). In some instances, DSPs may be calculated for various deviceidentifiers that are alleged to belong to the same device and/or thesame user. In other embodiments, DSPs may be calculated for all deviceidentifiers collected by a merchant or consortium, and used to determinewhether the device identifiers belong to the same device.

The DSPs may be calculated for the overall device identifier and mayhave fixed thresholds. In some instances, similarity percentages can becalculated for individual parameters of a device identifier and may havethe same thresholds for each parameter, or may have varying thresholdsfor different parameters (e.g., it may be more acceptable or expectedfor certain parameters to change than other parameters). In someinstances, the rate of change of device identifiers may be considered.For example, if a user for a device regularly makes many changes orupdates, then a lower threshold for those changes may be provided, aslong as the changes remain within a threshold rate of change.

In one example, a first device identifier (e.g., DID1) and a seconddevice identifier (e.g., DID2) may be compared to generate a devicesimilarity percent (e.g., DSP A). The device identifiers may bedetermined to belong to the same device. A third device identifier(e.g., DID3) may be compared to determine if the third device identifierbelongs to the same device as the first and second device identifier. Insome instances, a second device similarity percent (e.g., DSP B) may becalculated. DSP B may be calculated between the third device identifier(e.g., DID3) and the second identifier (e.g., DID2). In some instances,device similarity percents may be calculated between the current deviceidentifier and the immediately previous device identifier to determineif the current device identifier belongs to the same device as theprevious device identifier. In some other instances, DSP B may becalculated by assessing the similarity between DID3 and multipleprevious device identifiers (e.g., DID1 and DID2). The multiple previousdevice identifiers may go back to a limited number of previous deviceidentifiers, or may include all device identifiers analyzed as likelybelonging to the same device. The DSP may be calculated between each ofthe previous device identifiers and the current device identifier (e.g.,between DID3 and DID2, and between DID3 and DID1). In other embodiments,the DSP may be calculated between the current device identifier and aconglomeration or some sort of combination of the previous deviceidentifiers.

Similarly, when another device identifier (DID4) is generated, thedevice identifier may be compared with previous device identifiers(e.g., DID3 and/or others). The DSP (e.g., DSP C) may be calculatedbetween DID4 and DID3 (or any previous device identifiers).

The DSPs may acknowledge that a device identifier may evolve over time.One or more parameters used in the generation of a device identifier maychange. For example, clock skew may be provided on a device, that mayalter the time difference parameter between the device and a server. Inanother example, software and/or settings of the device may be alteredor upgraded. A DSP may be used to determine whether the change is of atype and/or magnitude that makes it likely that the device identifierrefers to the same device as the others.

In one example, as illustrated in FIG. 7, the device identifiers (e.g.,DID1, DID2, . . . ) may provided for one or more device 710 a, 710 b.The device identifiers may be provided for the same device or differentdevices. The device identifiers may be compared (e.g., DID1 vs. DID2) todetermine whether the devices associated with the identifiers (e.g., 710a, 710 b) are the same device, or different devices. The DSP (e.g., DSPA) may be a measure of the comparison that may used to determine whetherthe devices are the same devices or different devices. The devices mayinclude a memory 712 a, 712 b, processor 714 a, 714 b and/or acommunication interface 716 a, 716 b. The memory may store informationand/or non-transitory computer readable media. The processor may becapable of executing one or more step. For example, the processor mayexecute one or more step in accordance with the non-transitory computerreadable media. The communication interface may enable the device tointeract directly with an external device or over a network. A deviceidentifier (e.g., DID1) may be determined based on one or morecharacteristics of a device 710 a. In some instances, the informationstored in a memory 712 a of the device may be used to determine a deviceidentifier. In some instances, the device may have a clock, andinformation from the clock may be used to determine a device identifier.

FIG. 8 shows an example of how a global identifier may be formed. Aglobal identifier may be generated based on a device identificationcomponent and/or an anchor. In some embodiments, the global identifiermay be generated based on a dynamic portion and a static portion.Optionally, the device identification component may be a dynamicportion, and an anchor may be a static portion. The anchor may serve asa baseline or reference. The anchor may serve as an index by which toaccess information. The global identifier may include a portion that isbased on device identification, and a portion that is based on useridentification. Optionally, the anchor may be based on useridentification.

A global identifier may be stored in memory. For example, the globalidentifier may be stored in a memory of a repository.

A global identifier may be formulated based on two or more portions. Forexample a device identification portion and anchor portion may beprovided. Such portions may be stored separately, or may be combinedtogether. For example, a device identification portion may be accessedindependently of an anchor portion. The device identification portionand the anchor portion may be associated with one another. Such portionsmay be appended, or hashed together. For example, a string representinga device identification portion may be appended to a string representingan anchor portion. In another example, a string may be formedrepresenting some combination of the device identification and anchorportions.

The device identifier portion may incorporate one or more deviceidentifiers collected over time. For example, the device identifiers maybe formulated based on, or may include, one or more characteristics of auser's device, such as IP address, Time Diff Parameter, or othercharacteristics. In some instances, the device identifiers mayincorporate information relating to a physical feature of the userdevice or data collected from a portion of the device. For example, thedevice identifier may include or be based on information collected froma clock of the device. The device identifier may or may not includeinformation that is hard-wired into the device. The device identifiermay or may not include one or more settings of a device which may or maynot change over time.

The device identifiers may be collected at one or more different times.They may be collected over one or more different transactions. In someinstances, one or multiple device identifiers may be collected duringany given transaction. In one example, a current device identifierDID_(N), a previous device identifier DID_(N−1), and earlier deviceidentifier DID_(N−2), etc. may be used to formulate a deviceidentification component. The various device identifiers may be appendedto one another and/or hashed together. Any number of device identifiersmay be used to formulate the device identification component. In someinstances, a predetermined number of device identifiers may be used(e.g., the last one, two, three, four, five, six, seven, eight, nine,ten, fifteen, twenty, thirty, fifty, one hundred or more deviceidentifiers may be used to formulate the device identificationcomponent). Alternatively, there may be no limit to the number of deviceidentifiers used to formulate the device identification component. Theevolution of a device identifier may be stored and/or tracked. Asadditional information about a device is captured, it may be added to adevice identification of a global identifier, which may historicallytrack the evolution of the device identifier. Alternatively, a globalidentifier may have a single device identifier, and global identifiershaving device identifiers determined to belong to the same device may belinked or associated with one another. They may share the same uniquetrust insight identifier, as described elsewhere herein.

In some instances, a device similarity percent (DSP) may be calculatedbetween device identifiers to determine whether they belong to the samedevice and whether the new device identifier should be included in thedevice identification portion of the global identifier. For example, aglobal identifier for Device A may be provided. The deviceidentification component may be based on DID_(N), DID_(N−1), DID_(N−2),etc. A new device identifier may be captured and/or formulated from adevice DID_(N+1). The DSP may be calculated between DID_(N+1) andDID_(N), or between DID_(N+1) and each of the device identifiersindividually or in some form of combination. The DSP may be used todetermine if DID_(N+1) belongs to Device A and should be included withthe other identifiers as part of the global identifier for Device A. Forexample, if the DSP exceeds a threshold value (e.g., 80%, 85%, 90%, 93%,95%, 97%, or 99%), DID_(N+1) may be added to the device identifier.Adding a new device identifier may or may not cause an older deviceidentifier to drop off.

An anchor portion may include personal information about a user. Forexample, the anchor portion may include a user's email address, creditcard number, name, social security number, phone number, other personalinformation, or combinations thereof. In some instances, the anchor mayinclude a user's IP address, class C address, user ID, ABA routingand/or account number, or any combinations thereof. The anchor portionmay be information or combinations of various pieces of information thatmay be unique to a user. In some instances, an anchor may be a singlepiece of information or may be derived from a single piece ofinformation, such as a user's email address alone. In some instances,combinations of various pieces of information may form anchorinformation that may be appended to one another, and/or hashed together.The anchor portion may be static and not change over time. In someinstances, an anchor may be an index, baseline, or reference point.

Optionally, a user may update the user's personal information (e.g.,e-mail address, other contact information). Verified updates may causecertain anchor values to be equated to one another. For example, if auser's old email address is an anchor value, the new email address mayalso be an anchor value. The old and new email addresses may beassociated with or equated to one another for device tracking purposes.

In some embodiments, anchors may be one-way hashed. Anchors may enablespecific anonymity. For example, analytics may be run on a device's datawithout actually receiving the data. For example, the device may sendone-way hashed data. Such data may include user information and/ordevice information. For example, if a user's email isjohndoe@domain.com, a hashed string may be sent representative of theemail (e.g., 6031168D5AF405AFF89A50C900423FB9E3231F5B). Analytics may beperformed on the hashed data and/or the hashed data may be used foridentification without requiring the underlying initial information. Insome instances, such initial information may be collected by a merchantor other host. The merchant or other host may only send the one-wayhashed data to the consortium. Thus, other merchants or hosts may nothave access to the information. Alternatively, the underlying dataitself may be sent for analytics.

FIG. 9A shows an example of information that may be tracked foridentification verification and/or fraud detection. One or more of thefollowing may be tracked: device identifier, anchor, age of anchor,global identifier, age of global identifier, first visit, last visit,visit number, trust score, time difference, device similarity percent(DSP), and/or processing time. Such information may be collected duringa transaction/communication with a user device and another device (e.g.,host server). The information may be collected at a single time during atransaction/communication, or multiple times during thetransaction/communication. Information may be collected one or moretimes during each transaction/communication. The information may becollected from the user device taglessly or by any other techniques.

FIG. 9B shows an example of the information that is collected and/orstored. The anchor may be provided as a string. The anchor may beformulated based on information about a user. The anchor may be a hashof information collected about the user. The age of the anchor may bestored in any time value. For example, the age of the anchor may bestored in years, months, weeks, days, hours, minutes, seconds, ormilliseconds.

A global identifier may be provided. The global identifier may be basedon the anchor information and/or device identification information. Insome instances, a global identifier is a device identifier. The globalidentifier may be provided as a string or hash of the informationcollected. The age of the global identifier may be provided in any timevalue.

The time that a device having the same global identifier first visited aparticular host, or any host of the consortium may be stored. The lasttime the device having the same global identifier visited the particularhost, or any host of the consortium may be stored. The number of visitsof a device having the same global identifier has visited the same host,or any host of the consortium may be stored. The length of time overwhich a device having the same global identifier has visited the samehost, or any host of the consortium may be stored. The frequency ofvisits or currency values involved in the visits may also optionally bestored. Such information may be useful in determining a trust score orreputation for the device and/or user.

A trust score may be provided. The trust score may reflect a reputationof the device and/or user. In some instances, the trust score may bereflective of information collected from a device without requiring useof any information pertaining to a user. Alternatively, the trust scoremay be reflective of information collected relating to a user withoutrequiring use of any information pertaining to a device. In someembodiments, the trust score may be reflective of information collectedfrom both a device and a user of the device. The trust score may or maynot include personally identifiable information of the user. The trustscore may or may not include information pertaining to one or more userinteraction with a host (e.g., currency amounts, types of transactions,etc.).

Having a higher trust score may provide a higher reputation and/or lesslikelihood of fraud. The trust score may be a numerical value (e.g., 1to 10, 0 to 100), a letter grade (e.g., A, B, C, . . . ) or any otherform of rating. Activity by a user (e.g., online activity, financialinformation, other detected activity) may be analyzed to determinewhether the activity is likely to be good (i.e. or not bad). Good or‘not bad’ activity may cause an increase in trust score, whereas ‘bad’activity may cause a decrease in the trust score. The trust score may begenerated by the consortium based on information collected at theconsortium. In other embodiments, the consortium may provide informationto a host that may generate the trust score. The trust score may beshared across multiple hosts. In some embodiments, the trust score maybe accessible via hosts in the consortium even if the user and/or devicehas never accessed the host, or it's the first time for the user and/ordevice to access the host. For example, if a user is interacting (e.g.,partaking in a transaction) with a host for the first time, the host maybe able to access a trust score for the user from the consortium withouthaving had any previous interactions with the user. The user and/ordevice's historical interactions with other hosts or members ofconsortium may be used to determine a trust score and/or reputation forthe user and/or device that can follow the user and/or device to a newhost. Thus, a new host may use the trust score to determine whether auser and/or device is likely to be trustworthy, even if the user ordevice has never accessed the site before. This may advantageouslyleverage historical information from the consortium and the members ofthe consortium.

The trust score may be useful for determining a likelihood of fraud. Forexample, a device or user having a lower trust score may be more likelyto engage in fraudulent activities or be involved in a fraudulentactivity. A trust score may assist with establishing a reputation for adevice and/or user. In some instances, information may be collected overa longer period of time before a trust score can increase to aparticular level (e.g., it may be difficult to determine if a new deviceor user is ‘trustworthy’, but monitoring a device and/or user over anextended period of time may determine with greater confidence whetherthe device and/or user is trust worthy). In some instances, informationmay be collected over a larger number of visits before a trust score canincrease to a particular level. In some instances, a certain currency(e.g., dollar) amount may need to be exceeded overall in varioustransactions before a trust score can increase to a particular level.

A trust score may be useful in determining whether to permit thecompletion of a transaction. For example, a user may interact with amerchant or other entity. A request may be made for a financialtransaction (e.g., the user purchases an item or service from theentity, the user provides a donation to the entity). The merchant maysend information about the transaction to one or more third party (e.g.,acquiring bank, global financial services, issuing bank) that mayconfirm or deny the transaction. One or more of the third party mayaccess information in a data repository pertaining to the device and/oruser, which may include the trust score. The merchant may alsooptionally access information pertaining to the device and/or user,which may include the trust score. If the trust score meets or exceeds apredetermined threshold, the transaction may be confirmed; if the trustscore falls beneath the predetermined threshold, the transaction may bedenied. The merchant and/or the third party may be provided with anidentifier that may serve as an index to access the information. In someinstances, the index may be a global identifier as described elsewhereherein, or an anchor value. In some instances, the index may be formedof information that may be sent to the one or more third party in ausual course of confirming or denying a payment. The index may include auser name, credit card number, and/or transaction amount. In someinstances, the index may be an anchor value as described elsewhereherein.

Having a lower reputation may provide an increased likelihood offraudulent activity. In some instances, having a higher reputation mayprovide specialized privileges and/or treatment. In one example, adenial of service (e.g., DDOS) attack may occur on a server. Devices orusers with high reputation may be identified and allowed to go through(e.g., perform actions/transactions on the server). Devices with lowreputation and/or not high reputation may be prevented from performingan action with the server, thereby reducing traffic and the likelihoodof a DDOS attack. In some instances, more security checks oridentification verification procedures may be implemented for usersand/or devices with a lower reputation.

Another example of specialized privileges or treatment for a higherreputation user or device may be qualifying the user for a special offeror status. The special offer may include discounts, coupons, rewards,cash, certificates, promotions, or other rewards for having a highreputation. In some instances having a higher status may allow a user toreceive specialized treatment (e.g., less wait time, accelerated review,easier access to customer service representatives, receipt of specialoffers not accessible to others, free shipping, access to items ormultimedia for free or discounted costs for which others would have topay full value, higher level of service or credit). In some instances,the special offer or status may be offered outright to the user who isnew to the host based on their pre-existing reputation at theconsortium, which may reduce or eliminate the need for investigation bythe host before providing these offers. This may permit the host orother hosts to focus review efforts on the higher risk transactions.

In some instances, more access or privileges may be granted to devicesand/or users with higher trust scores. Trust score information may beuseful for account openings, account login, and/or new and repeatbuyers. The use of trust scores may permit such actions to take place ata sooner time. For example, a user may be relatively new to a host, butthe host may determine that the user has a good reputation based oninformation from the consortium and provide the access or privileges.For example, a user may be opening an account with a host. The host maydetermine that the user has a good reputation from the user'spre-existing trust score, and may expedite approval for the user accountand/or provide privileges upfront. For example, the host may permit moretransactions (e.g., interactions, logins and sales) for new or returningcustomers at the outset. The host may permit the transactions withoutrequiring the user to go through additional validation. Alternatively,if the host determines that the user has a bad reputation from theuser's pre-existing trust score, the host may reject the user's accountoutright, or may put the user on a probationary period, provide limitedaccess, or require additional specialized actions by the user. This maysave the host time be reducing the number of manual reviews and mayreduce costs of handling reviews. This may also reduce or eliminatedelays for users with good reputations.

A trust score may evolve over time. The trust score may be associatedwith a device, so even if the device identifiers may evolve over time,the trust score may carry through based on the historical information ofthe device. Unique trust identifiers may be generated and/or tracked foreach of the identified devices.

The trust score may be based on collected information. The trust scoremay be calculated based on a relationship between a device and ananchor. The relationship may be calculated based on the number of timesthe device-anchor pairs have been seen in the wild (e.g., amongtransactions at the same host or across multiple hosts of theconsortium), and/or how long the pair has been seen together. This maypermit a high score for digital consumers who repeatedly use theirdevices and anchors together. It may also permit the score to be limitedfor those who want to inflate their score, by limiting the number ortypes of interactions used.

A time difference parameter (e.g., TDL) may be provided. The timedifference parameter may be stored in any time unit. The time differenceparameter may be calculated using any techniques described herein. Thetime difference parameter may be stored separately from the globalidentifier and/or may be incorporated into the global identifier.

A device similarity percent (DSP) may be provided in accordance with anembodiment of the invention. The DSP may have characteristics asdescribed elsewhere herein. In some instances, the DSP may be calculatedfor the present device identifier relative to a previous deviceidentifier. DSPs may be calculated for the present device identifierrelative to multiple previous device identifiers. The various DSPs maybe compared to determine if the present device identifier belongs to aparticular device. A higher DSP may provide a higher likelihood of amatch. In some instances, the DSP value exceeds a threshold value inorder for a device identifier to be associated with a particular device.

Processing time may be calculated in accordance with an embodiment ofthe invention. The processing time may be indicative of the amount oftime it takes to process the other calculated information. Theprocessing time may be stored in any units of time measurement. In someinstances, if a processing time exceeds a particular threshold, a redflag may be raised as suspicious activity.

FIG. 10 shows an example of a tracking method in accordance with anembodiment of the invention. Behavioral analytics may be used toauthenticate a user. In some instances, user identification and/orauthentication may include one or more factors such as what the userknows (e.g., personal information such as the user's email, phone creditcard, etc.), what the user has (e.g., the user's device information),and/or what the user repeatedly does over time (behavioral analytics).Such information may be incorporated in a method of tracking informationuseful for identification and/or authentication.

In some embodiments, a tracking method may include one or more steps of:device identification, associating a device with an anchor, recognizinga returning user, and/or authenticating a user and/or device to ananchor. Any of the steps may be optional, and/or may occur in the orderpresented or any other order. Additional steps may be included.

Device identification may occur using one or more techniques describedelsewhere herein. Information about a device may be collected, asdescribed in various embodiments herein. Examples of such informationmay include device IP address, time difference parameter, and/or anyother characteristics. The device identification may occur taglessly.The device identification information may be stored in memory. Thedevice identification information may be accessible by one or moreentities of a consortium.

The device identifier may be associated with an anchor. The anchor mayhave one or more characteristics as described elsewhere herein. Theanchor may be formulated from personal information of the user. A globalidentifier may incorporate the device identifier and/or the anchor. Theanchor information and/or global identifier may be stored in memory,which may be accessible by one or more entities of a consortium.

A returning user may be recognized. In some instances, the returninguser may be recognized based on the device identifier and/or anchor. Forexample, a device identifier may be compared with previously storeddevice identifier in order to determine whether the returning device isthe same device. A device similarity percentage (DSP) may be calculated.If the DSP exceeds a certain threshold, the device identifier may bedetermined to belong to the same device as the previously stored deviceidentifier. The anchor may be compared with a previously stored anchor.In some instances, an exact match may be required for the anchor.Alternatively, the anchor may fall into an acceptable range ofsimilarity as the previously stored anchor. In some instances, a globalidentifier or the combination of a device identifier and anchor may beassessed in determining whether a user has returned. Further examples oftechniques of determining whether a device and/or user is returning maybe described in greater detail elsewhere herein.

A user and/or device may be authenticated to an anchor. In someinstances, if it is determined that the same device or user isreturning, authentication may be provided. In some instances, it may bedetermined whether the returning user and/or device provides anincreased likelihood of fraud. Similarly, the returning user and/ordevice's reputation may be assessed. Based on such assessments, a userand/or device may be authenticated to the anchor.

FIG. 11 provides an illustration of information that may be stored andused to track a device and/or user in accordance with an embodiment ofthe invention. In some instances, examples of information that may bestored may include a date/time 1110, raw anchor value 1112, formulatedanchor value 1114, device similarity percent (DSP) 1116, # uniqueidentifier 1118 (e.g., device identifier/global identifier), identifier1120 (e.g., device identifier/global identifier), and/or visit number1122. Such information may be stored in a memory. Examples of memoriesmay include one or more databases, which may be distributed over one ormore devices, such as servers. The records may be stored in a cloudcomputing environment or in a peer to peer manner.

The date/time 1110 may include when information was collected from auser and/or device. The date/time may indicate a time at a transactionwhen an identifier and/or anchor were calculated. The date/time mayindicate a time that information was conveyed to a consortium. Thedate/time may have any format. The month, day, and/or year may beincluded. In some instances, the day of the week may be included. Thetime may be recorded. The time may have any format, such as militarytime, or a time plus an AM or PM indicator. The time may be provided inhours, minutes, seconds, and/or milliseconds. The times may be inreference a consortium clock or a reference time used by the consortium.Alternatively, the times may be in reference to a host server, and/oruser device.

A raw anchor value 1112 may be included. The raw anchor value may or maynot be sent from the device to the host. In some instances a one wayhash may be provided. In another example, the raw anchor value may ormay not be sent from a host to a repository of the consortium, and/orother hosts. In one example, the raw anchor value may be an emailaddress. In other examples, raw anchor information may be associatedwith a user and/or transaction (e.g., combination of the user's name,credit card number, transaction amount). In the illustrated example, therecords having the same anchor value may be gathered and/or associatedwith one another.

A formulated anchor value 1114 may be included. In some instances, theformulated anchor value may be calculated based on a raw anchor value.The formulated anchor value may be a hash of the raw anchor value. Forexample, if the raw anchor value is ntemp@gmail.com, the formulatedanchor value may be a string, such as5c441a1dea399046a5fb1d3d881d72dba9ece38f. In some instances, theformulated anchor value may be a one-way hash of the raw anchor value.In some instances, the formulated anchor value may be sent from thedevice to the host. Alternatively, the formulated anchor value may besent from the host to a repository of a consortium, or to another host.

The example provided in FIG. 11 shows information collected for aparticular anchor. Over multiple transactions (e.g., in the wild),multiple anchors may be collected. In some instances, the informationmay be sorted or indexed by anchor. Information sharing the same anchormay be grouped, linked, associated, or accessible together. In someinstances, one or more anchor may be equated with another. For example,if a user changes the user's email address (and optionally such changeis verified to be accurate and not fraudulent), the old email addressand new email address anchors may be associated with one another and/orequated to one another. For data entries 1130, 1132 having the same rawanchor value 1130 a, 1132 a, the formulated anchor values 1130 b, 1132 bmay be the same.

A device similarity percentage (DSP) 1116 may be calculated. The DSP maybe calculated between one or more device identifier and/or information.In some instances, characteristics of a device, such as IP address, timedifference parameter, or any other characteristics may be collected. Thecharacteristics of the device may be compared with previously storedcharacteristics. In some instances, the characteristics may be used toformulate a device identifier. The device identifier may be comparedwith a previously stored device identifier in order to calculate adevice similarity percent. The device similarity percent may provide ameasurement or metric of the similarity between one or morecharacteristics of the device. In some instances, device characteristicsmay change over time. For example, a time difference parameter maychange over time. A device clock may have an internal clock skew, whichmay cause the time difference between the device clock and a referenceclock to vary over time. In another example, a device system orapplication may be updated with new versions. In some instances one ormore characteristics of the devices may be weighted when calculating thedevice similarity percent. A device similarity percent of 100% mayindicate that the device characteristics match exactly. In someinstances, when a new device is detected, it may have a default value of100% 1130 c.

A # unique identifier 1118 may be provided. For a given record entry,the number of new devices may be tracked. If the device similaritypercent for a device is below a particular threshold, the device may bedetermined to be a new device. In some instances, the device informationis compared to any previous devices. For example, the entry 1134 on5/05/2011 at 22:05:33 may have one or more device characteristics thatmay be compared with previously stored device characteristics. This mayinclude comparing a device/global identifier based on one or more devicecharacteristics with previously device/global identifiers. The devicecharacteristics may be compared against those associated with Device #1(as identified in entry 1130 having the #unique identifier 1 1130 d),and/or with Device #2 (as identified in entry 1132 having the # uniqueidentifier 2 1132 d). The DSP 1134 c was found to be 49.25%. The DSP maybe calculated against Device #2 only, or both Device #1 and Device #2.The percentage 49.25% may be the highest DSP found. In this case, theDSP is below a threshold value (e.g., 95%), which indicates a newdevice, Device #3 (having the # unique identifier 3 1134 d). Bycontrast, the entry 1136 on 5/01/2011 at 09:05:17 yielded a DSP 1136 cof 99.69% relative to Device #2. This value exceeded the threshold,which indicated that entry was performed by Device #2 as well.

An identifier 1120 may be provided. The identifier may be derived fromone or more device characteristics. The identifier may be a deviceidentifier. The identifier may be a global identifier which may or maynot incorporate the anchor. Devices involved in transactions determinedto be performed by the same device may have the same identifier. Forexample, all of the Device #1 entries may have the same identifier 1130e. All of the Device #2 entries may have the same identifier 1132 ewhich may be different from the Device #1 identifier. The identifier maybe a hashed string. The hashed string may be a one way hash based on oneor more device characteristics. The device characteristics may or maynot be shared with the consortium. In some instances, only theidentifier is shared with the consortium.

Visit numbers 1122 may be tracked. For example, the visit number foreach device may be tracked. When a new device is detected (e.g., entry1134 on 5/05/2011 at 22:05:33), the visit number may be set to 1 1134 f.Each subsequent visit from the same device may increase the visit number1138 f, 1140 f. In one example, the entry 1132 on 02/19/2011 at 07:22:00shows a low DSP 1132 c which indicates a new device (Device #2 1132 d),and visit #1 1132 f for that device. The next entry 1142 on 2/20/2011 at08:10:13 provides a DSP 1142 c that exceeds a threshold and isidentified to match with Device #1, and visit #4 1142 f for that device.

Thus, for a given anchor, such as email address 1130 a, the variousdevices 1130 d, 1132 d, 1134 d may be identified and tracked. Thepresence of new devices and the number of visits 1122 for the variousdevices may be tracked. The time that the devices access the system mayalso be tracked. The pattern of one or more devices for the anchor thataccess the system may be analyzed. As a device (having a # uniqueidentifier, e.g., trust insight identifier) and anchor pair are trackedover time, the trust score for the pair may be calculated. The trustscore may be useful for detecting fraud, providing a reputation, orreducing attacks, such as denial of service (DDOS) attacks.

FIG. 12 provides an example of a user interacting with multiple devicesin accordance with an embodiment of the invention. For instance, a user(NTEMP) 1210 may interact with a system using one or more devices (e.g.,Device #1 1220 a, Device #2 1220 b, Device #3 1220 c, Device #4 1220 d).The one or more devices may be identified through transaction records,as described in FIG. 11. For instance, a raw anchor value may be theuser's email address (e.g., ntemp@gmail.com), or other informationuseful for identifying the user. A device identifier may be determinedfor the one or more devices based on information collected from thedevices. A device similarity percent may be calculated for theinformation collected from the devices. If the device similarity percentis above a predetermined threshold in comparison to a previous recordfor a device, the device may be determined to be the same as that devicefrom the previous record. For example, if the device similarity percentis greater than the threshold (e.g., 97%) when compared with Device #1,it may be determined that the device from a current transaction isDevice #1 1220 a which had a previous record. If the device similaritypercent is less than 97% when compared to records for Device #1 andDevice #2, but greater than 97% when compared to records for Device #3,it may be determined that the device from the current transaction isDevice #3 1220 c. If the device similarity percent is less than 97% whencompared to all pre-existing records for devices (e.g., Device #1,Device #2, and Device #3), it may be determined that the device from thecurrent transaction is a new device, Device #4 1220 d.

The one or more devices 1220 a-d that a user may use to interact withthe system may include a memory (M), processor (P) and/or user interface(UI). The memory may store information, which may include non-transitorycomputer readable media comprising code, logic, instructions forperforming one or more step. The memory may include information aboutthe device and the setup of the device. The processor may be capable ofperforming one or more step, optionally in accordance with thenon-transitory computer readable media. The user interface may permitthe user 1210 to interact with the device. For instance, the userinterface may display data to the user. A user may be able to use thedevice to perform a transaction with one or more entity, via the userinterface. For example, a user may perform a financial transaction witha merchant using the device by using information displayed on the userinterface.

FIG. 3, as previously described, shows an implementation where data maybe shared. A consortium may be provided with one or more entities (e.g.,one or more merchants denoted by Airline 1-6). One or more user devicesmay interact with the one or more entities. A data repository (e.g.,user management module) may be provided where the entities may store,access, and/or share information with one another. One or more users mayinteract with a plurality of entities. In one example, a user (e.g.,NTEMP), may interact with one or more online entities (e.g., Airline 5,Airline 2, Airline 1) using one or more devices (e.g., Device #1 301,Device #2 302, Device #3 303, Device #4 304). In some instances, theuser may interact with multiple online entities (e.g., Airline 1 andAirline 5) using the same device (e.g., Device #1 301). Informationabout transactions conducted between the user and the online entitiesusing the various devices may be collected. In some instances, theinformation may be stored in a repository (e.g., user management module)that may be accessed by the multiple online entities, or may be storedat the multiple online entities who may communicate with one another. Ananchor value may be provided pertaining to the user. For example, theuser's email address (e.g., ntemp@gmail.com) may be collected for eachtransaction. The anchor value may serve as an index or a way of sortingrecords relating to the transaction.

Information from the devices (e.g., Device #1, Device #2, Device #3,Device #4) may be collected through the multiple transactions. The samedevice may be used for multiple transactions with the same online entityor different online entities. A device identifier may be formulatedbased on the information from the devices. A device similarity percentmay be calculated based on information from the devices. The devicesimilarity percent may be used to identify the device as a device from aprevious transaction, or a new device. The number of visits by each ofthe devices may be tracked. Activity by each of the devices may betracked. Such information may be useful for determining a reputation fora device and/or the user. For example, a particular device may act in asuspicious manner, while other devices of the user do not raise redflags. The user may be notified of this activity, and asked to verifythe device that is acting in the suspicious manner. In another example,a user may act suspiciously, regardless of which device is being used.The various online merchants interacting with the user may be warned,based on the anchor value. In another example, the number of devices inthemselves may be cause for suspicion (e.g., if a user uses a largenumber of different devices in a short period of time). In anotherexample, such information may be useful for determining a goodreputation of a device. For example, if a user has used a particulardevice many times without incident, the device may be ‘trusted’ or lesslikely to raise a red flag. If a user is using a new device, the devicemay have yet to earn the ‘trust’ and may be monitored more carefully orstrictly for different activity.

In a consortium with one or more online merchants, each merchant may beable to autonomously choose how to weigh each parameter of a globalidentifier or a computer identifier. Alternatively, in a consortium, acentral repository may determine the weight of each global identifier orcomputer identifier parameter for each of the online merchants.

Accordingly, once a merchant determines that a first fraudulenttransaction may have been made, the merchant can flag the customercomputer identifier, i.e. a Browser ID and delta of time. Thus, acustomer computer may be correlated with a potentially fraudulenttransaction based upon the customer computer identifier. In someembodiments, the computer identifier may include at least its delta oftime and Browser ID, but may also include other personal and/ornon-personal information. Then, the matching parameter can be used toidentify a subsequent transaction which reveals a user or device with anidentical set of computer identifiers. The matching is typicallyimplemented by software, for example, on a hard disk, floppy disk, orother computer-readable medium. The subsequent transaction may occurwith the same merchant or another merchant in the consortium. In someinstances, a trust score may be associated with the customer computerand a fraudulent transaction can negatively impact the trust score forthat computer.

In some embodiments, once a merchant web server determines the computeridentifier (CI) for a first transaction, CI₁ and a subsequenttransaction, CI₂, a comparison can be made as between the twoidentifiers. The two transactions may or may not be with the samemerchant. After the comparison has been made, a computer implementedsoftware program may continue to execute the next step of assigning amatching parameter value to the pair of transactions based on thesimilarities between the first and subsequent transactions. In someinstances, the trust score for a computer of a present transaction maybe provided. The website server running the program to compare computeridentifiers may inform a merchant of the matching parameter value and/ortrust score, which in turn may provide information suggesting to cancelor confirm the transaction, inform the costumer status order, demandmore information, or the like. The merchant may then choose its desiredcourse of action. It shall be understood that the memory of a merchantweb server may contain software programs with instructions to performany combination of these steps to provide these and any other methodsdescribed herein in accordance with the invention.

Such a method may be used for a standalone merchant with customercomputers or devices. Similarly, the method may be applied to one ormore consortia. Either a merchant web server or an authenticationrepository may be determining the computer identifier and either mayassign a matching parameter value. For example, the authenticationrepository may inform a merchant of a value and suggest confirming ordenying the transaction. In some cases, the repository may determine amerchant's course of action. In one or more consortia, the matchingparameter and/or trust score may be determined from information gatheredfrom any transactions with any organizations in the consortia. Also,information gathered or processed by a merchant may be shared with othermerchants in the consortia.

For instance, a series of computer identifiers, CI₁-CI₄, and/or globalidentifiers may be matched. Any description herein of a CI may alsoapply to a global identifier and vice versa. When a CI is generated by amethod or software program by a device to be identified or associatedwith a known fraudulent transaction, it can be compared to anotherselected CI. These CI's may or may not be from transactions withdifferent online organizations in a consortium.

In one embodiment of how fraud detection may be implemented, during acomparison between two transactions, a matching parameter (MP) may becalculated. The calculated value of the MP may consist of a raw numberor score that is dimensionless, e.g., 11.5, or some increment ofmeasurement including time, e.g., hours, minutes, seconds, milliseconds.The matching parameter may be thus compared in a next step to apreselected reference or baseline Matching Value (MV), e.g., 10.0. Amerchant or anyone trying to identify the computer can variably set theMV relative to anticipated or measured MP values. Because of slightdifferences in computer clocks, network latency, variable Web trafficand bandwidth constraints, the delta of time parameters provided hereinmay vary from time to time even for the same selected computer. Apreselected range (delta t) may be therefore defined in accordance withthis aspect of the invention that allows for a certain tolerance settingor range (Range) of MP values relative to the MV. For example, a lowerlimit within the Range may allow for a [+/−1] variance of the MP valuerelative to the MV, or a higher limit within the Range may allow for a[+/−5] variance. When the MP value falls within the defined Rangerelative to the MV, this can indicate a positive match or identification(ID) of a device for various purposes as described herein such aslinking a computer to known online fraudulent transactions. When the MPvalue falls outside of the defined Range relative to the MV, this canindicate a negative match or identification (ID) of a device. It shallbe understood that these MP values may be alternatively defined as aScore Card value and incorporated with other corresponding aspects ofthe invention described elsewhere herein to detect and prevent onlinefraud. The matching parameters, values and ranges described inaccordance with this variation of the invention can be modified anddefined in a variety of ways and are not limited to those specificallyprovided for illustrative purposes. In some instances, a MP may be usedas a DSP or vice versa. The MV may be a threshold for determiningwhether the same device has been used, or vice versa. The precedingsteps may be carried out as methods provided herein, or alternatively asa series of software program instructions and code.

In identifying a user device, some change in a global identifier, deviceidentifier or fingerprint may be permitted. For example, “system drift”must be considered as individual elements that are used to derive adevice identifier can change over time. In one instance, additionalelements not present in the original device identifier, such as a newpiece of software or hardware has been installed, are not worrisome. Inthese cases, the device identifier is updated, and the changes noted.However, changes to existing individual device identifier values may bemore worrisome. In accordance with the invention, each online host mayestablish rules for system drift, such as which one or more elements ofthe device identifier the host perceives as critical and thereforeshould not be changed without causing an exception/error message. Forexample, the serial number of the central processing unit may beconsidered critical and therefore will generate an error message while achange in the amount of memory in the network device alone may not raisea flag. As another example, several non-critical elements of the networkdevice may be changed without raising any concern. Thus, depending onrules established and maintained by each online host or authenticationrepository, a fraudulent transaction may be detected and not beconfirmed.

Furthermore, in accordance with another example of system drift, thedelta of time parameter may be measured as between different timesresulting from inherent limitations or flaws of the computer clock(s) ina single device as opposed to multiple devices. In this embodiment ofthe invention, a device fingerprint or PC fingerprint is created toidentify and link a computer to known fraudulent transactions orbehavior by measuring and tracking an inherent inaccuracy or flaw of aresident clock. In comparison to other embodiments of the invention,which may be described as an “external” delta of time as between twodifferent devices (host server/user client), another variation providedherein provides a device identifier using what may be considered an“internal” delta of time as between a single device itself (standalone).Over a period of time, computers clocks as with other ordinary clocksare not perfect and tend to run fast or slow eventually. The rate atwhich time is gained or lost for a computer clock may be defined as“clock skew” and can be measured in microseconds per second (clock skewmay be also defined as the instantaneous difference between readings ofany two clocks or the time what a computer thinks it is as compared toanother clock). The clock skew may be considered when matching delta oftime parameters from different transactions, and may be a way ofoffsetting a perceived error.

If the clock has a non-zero skew, not only is the end-to-end delaymeasurement off by an amount equal to what can be defined as clockoffset, it also gradually increases or decreases over time depending onwhether it is running relatively faster or slower. Even when there is aconstant clock skew, the clock offset values increases or decreases overtime depending on the sign (+/−) of the skew. So any given computer ordevice described herein can have a single or multiple clocks (e.g.,systems clock, TCP timestamps options clock) that are unable to remainconsistent and accurately track time. But the clock skew of a particulardevice may be different from other (even seemingly identical) computers,and thus serve also as a PC fingerprint linking it to certaintransactions and fraud. It is generally well known that differentcomputer systems have different and relatively constant clock skews.This imperfection or flaw in the device can thus be exploited in a wayto identify a particular device or computer in relation to certaintransactions and behavior since it is relatively persistent and uniquein accordance with the invention. The internal delta of time provided inaccordance with this embodiment can be therefore applied in the samemanner as any other external delta of time described elsewhere herein toprovide a PC fingerprint linked to transactions carried out on devicesinvolving e-tail or e-commerce fraud, breaches in security and varioustypes of criminal online behavior.

The internal delta of time can also be calculated to offset and accountfor apparent changes in the external delta of time parameter over time.In other words, clock skew may also be an example of system drift andmay be factored in comparing external delta of time parameters.

In this embodiment of the invention, the delta of parameter can bemeasured in units of microseconds per second (ms/s, first derivative orrate at which time is gained or lost) while in other embodiments of theinvention the parameter can be measured in microseconds. This delta oftime parameter can therefore be defined as a time difference measuredbetween a first clock measurement and a second clock measurement over aselected period of time or time interval. For example, the TCP timestampof a first packet of data from a computer may indicate a time t₁ (9:01am) while a second packet may be sent at time t₂ (9:02 am). The firstand second packets may arrive at a server at times t₃ (9:04 am) and t₄(9:07 am), respectively. The clock skew of the computer can be thuscalculated as the rate at which time is lost in this instance: t₃−t₁=3mins; t₄−t₂=5 mins (may assume time differences are not attributed tonetwork delays, latency etc. beyond clock skew). The internal delta oftime parameter or clock skew in the context of this embodiment of theinvention herein may be calculated as follows: 5 mins−3 mins=2 minsdivided by 3 mins (which is the selected period of time between firstand second packets). In other words, during the 3 mins of time betweensending the first and second data packets, the computer clock lost orran slow 2 mins (0.666 min/min). While clock skew in general is insteadmeasured on the order of microseconds rather than minutes, this exampleillustrates how these and other embodiments of the invention are notlimited to certain ranges. Other units of measurements are applicable tothe delta of time parameters as mentioned elsewhere herein. It shall beunderstood that both internal and external deltas of time can be appliedindividually or in combination by themselves, or in addition to otherparameters as described herein to provide a distinctive PC fingerprint.

In accordance with some embodiments of the invention, sharing userand/or user device information within one or more consortia may resultin the collection of information in different formats. For example,various user devices may store dates and times in different formats. Onedevice may store a date as Jul. 1, 2006 3:00:00 PM, while another devicemay store the date as 07/01/2006 15:00:00. In order to share data fromdifferent devices which may have different formats, consortium may havea data normalization method which may standardize the data to a commonformat.

In some embodiments an online host may standardize the informationgathered from one or more user devices. Furthermore, in some embodimentsof the invention, an authentication repository may standardize theinformation gathered from one or more hosts. In other embodiments, theonline hosts of a consortium may standardize the information gatheredfrom user devices in the same manner, such that they are alreadystandardized with respect to one another.

Similarly, when one or more consortia are in communication with oneanother, the information gathered from user devices may be normalized.This may occur at the host level, or at the authentication repositorylevel, or any other level. For example, when multiple authenticationrepositories are communicating with one another, the repositories maynormalize the collected data in a consortium, and when communicatingwith another authentication repository, may convert the data fromanother authentication repository into a standard format to share withthe hosts of its own consortium. Any data formatting system or methodmay be set up or developed in order to accommodate the sharing ofinformation from multiple sources across one or more consortia.

FIG. 3 shows an exemplary implementation of the consortium. A pluralityof organizations, such as Airlines 1-6 may be part of a user group,where the members of the user group may agree to share selected data.For example, each of the airlines of the user group may agree to sharefraud-related data. Each airline of the group may interact with one ormore device. For example, user computers may access a server of anairline. In some embodiments, the same user computers may interact withmultiple airlines. Any description herein relating to an airline (orfigures referring to airlines) may also be interchangeable with abanking organization, any other financial institution, a merchant, orany other organization.

The user group may also include a user management module. The usermanagement module may allow members of the group (such as the airlines)to agree to share selected fraud related data. In some embodiments, theuser management module may facilitate the actual sharing of data. Forexample, the user management module may store some of the fraud relateddata. Alternatively, the user management module may assist with thetransfer of data from one airline's server to another airline's server.In other embodiments, it may assist with running the user group withoutactually implementing the data sharing.

The airlines may be sharing any data with one another. For example, theairlines may be sharing computer identifiers (CI) and/or globalidentifier with one another. A CI can consist of one or more personaland non-personal parameters. An example of a non-personal parameter maybe a delta of time parameter. The airlines may share any other personalor non-personal data, which may include name, credit card number, emailaddress, home address, or any other fraud-related data as discussedherein.

A user management module may obtain data elements that may be sharedacross the user group. The shared data elements may include personal information, such as email address, billing address, name, etc., as wellas non-personal information, such as PCPrint information, which may beextracted from a device and be based on a composite of the informationextracted from the device. In some embodiments a PCPrint may be a hashstring based on information collected from the device. In someembodiments, a delta of time parameter may be obtained separately or inaddition to the PCPrint. The combination of the PCPrint and delta oftime parameter may or may not be hashed.

Preferably, data collected to form a computer identifier, such as aPCPrint may be extracted from a device. Data may be extracted withoutdownloading an application or otherwise providing a client to thedevice. Thus, the system may operate taglessly. A computer identifier orother parameters may function differently from a tag, in that they arenot a number or value pushed onto a device. Rather, information may bepulled from the device to form the computer identifier, or any otheridentifying parameter. The system may be operating clientlessly.

FIG. 4 illustrates an implementation of the consortium in a globalsetting. When calculating a delta of time parameter for a user device ina consortium where a user device may interact with one or more onlinehosts, accommodations may be made to enable a consistent delta of timecalculation between the user device and multiple hosts.

A challenge may arise when multiple online host servers have differentclock times or are located in different time zones. For example, serverA may be located at a time zone that is UTC −8, server B may be locateda time zone that is UTC −5, server C may be located at a time zone thatis UTC, server D may be located at a time zone that is UTC +5, server Emay be located at a time zone that is UTC +8, and server F may belocated at a time zone that is UTC +9. The various online host serversmay be located anywhere in the world, such that some or all of theservers may be in different time zones. Similarly, various user devicesmay be located globally as well. For example, client computers 1-7 arescattered throughout the world. Client computers may be able to interactwith one or more servers, which may or may not be in different timezones.

Using the previously described embodiment of the invention ofcalculating a delta of time parameter by taking the difference betweenthe client computer time and the host server local time may result indiscrepancies within a consortium if a standardized time is not used.For example, if a server A is located at UTC −8, and a server B islocated at UTC −5, and client computer 1 is located at UTC −7, a deltaof time between client computer 1 and server A may be +1, while a deltaof time between client computer 1 and server B may be −2. If thisinformation is shared within the consortium, it will appear that clientcomputer 1 has inconsistent delta of times. Various embodiments of theinvention may be used to accommodate calculating a delta of timeparameter within a consortium.

As discussed previously, a website server can capture the local time ofthe client computer, as well as a reference time. In some embodiments ofthe invention, the reference time may be the time of the server'scomputer. The time of a server's computer may include the local servertime and any relevant time zone information, or the server may besynchronized to a set time, such as the authentication repository timeor UTC time. For example, in some cases, the website servers in aconsortium may all automatically be synchronized to a time. Forinstance, the authentication repository may cause the website servers tosynchronize to an authentication repository time, which in some casesmay be synchronized to UTC time.

The synchronization may occur by any methods known in the art. In oneexample, the servers may be synchronized via a satellite or satellitenetwork. In another example, software may be used to synchronize theservers. In some implementations, the website servers may besynchronized to a reference time, such as UTC time, by asking them tovoluntarily synchronize their clocks to the reference time.

In other implementations, the website servers may be synchronized suchthat they are synchronized to their local time—i.e. when it is precisely9:00:00 AM in California, server A may be synchronized to be 9:00:00 AM,while server B may be synchronized to be precisely 12:00:00 PM. Whencalculating a delta of time parameter, the relevant time zoneinformation of the servers may be taken into account. Similarly, in someother implementations, the website servers may not be synchronized atall, such as server A may think it's 9:00:00 AM in California, whileserver B may think it's 12:00:45 PM in New York. The offset between thetwo servers may be tracked and be taken into account. In some cases, theauthentication repository may keep track of the difference in timesbetween the various servers.

In some embodiments of the invention, the reference time may be anauthentication repository time. For example, a delta of time parametermay be determined by the difference between the client computer and theauthentication repository time. In some cases, the authenticationrepository time may be synchronized with a global time, such as UTC, andthe delta of time parameter may be the difference between the clientcomputer and UTC. In some other cases, an authentication repository timemay be an authentication repository local time, or an arbitrary time.

One implementation of the invention taking relevant time zoneinformation into account is illustrated in greater detail. For instance,a delta of time parameter may be calculated between a local client timeand local host server time with relevant time zone information takeninto account. Each local time for any client or server connected to theInternet or other network system can be measured according to the clockfor that particular device. The measured Delta Time parameter for anyselected moment of action in accordance with the invention may beperceived as having two temporal components: an actual time and a timezone. For example, the measured local time at a client site may includea Browser Time of Feb. 1, 2005 14:00:00 PM, and a Browser Time Zone ofUTC −8. In one example, a measured local time at a server site mayinclude a Server Time of Feb. 1, 2005 17:01:13 PM, and a Server TimeZone of UTC −5. The Delta Time as between the Browser Time and theServer Time, and the Browser Time Zone in comparison to the Server TimeZone, can be therefore calculated in accordance with the invention.

A preferable embodiment of the invention provides a Delta Time or timedifferential which takes into consideration daylight saving time (DST)in selected time zones and countries around the world. In addition tocollecting respective local times and time zones from clients orcustomer computers and website servers at a current selected date ormoment of action, a website server or any other network computer canalso capture information relating to particular time and time zones forselected (future or even past) dates. A selected Delta Time during DST(DST Delta Time) can be determined for a particular customer or clientcomputer when the registered time for such other date is different thanthe current selected date. For example, the Delta Time value for suchother date(s) can be +/−one hour ahead or behind. For time zones that donot observe DST, the Delta Time value will remain unchanged during suchdates when DST would be normally observed. By calculating andidentifying values for Delta Time and relevant Time Zones for multipledates ahead of time in accordance with the invention, accurate delta oftime values can be provided to assist in uniquely identifying orfingerprinting a client or customer computer throughout the yearregardless of whether DST is observed in the relevant country or regionof the world. Because only certain countries and regions of the worldobserve DST while others do not, it may be possible to pinpoint in whichlocation the device resides based at least in part on the geo-locationfingerprints provided by the invention.

DST (also called Summer Time) is the portion of the year in which thelocal time of a region is usually advanced by one hour from its officialstandard time. This system was originally intended to “save” daylight,as opposed to “wasting” time (for example, by sleeping past sunrise).The official time is adjusted forward during the spring and summermonths, so that the active hours of daily life involving events such aswork and school will better match the hours of daylight in theory. Todayapproximately 70 countries utilize DST in at least a portion therein—theonly major industrialized country not to have introduced daylight savingis currently Japan. DST begins for most of the United States of Americaat 2:00 AM on the first Sunday of April and clocks are turned (spring)forward one hour. Time reverts to standard time at 2:00 AM on the lastSunday of October and clocks are turned (fall) back one hour. Each timezone switches to and from DST at a different time. Furthermore,legislation may be passed by Congress and other state governmentalbodies from time to time on whether to observe, shorten or lengthen DST.DST for the United States of America and its territories is not observedin Hawaii, American Samoa, Guam, Puerto Rico, the Virgin Islands, mostof the Eastern Time Zone portion of the State of Indiana, and the stateof Arizona (except the Navajo Indian Reservation which does observeDST). Meanwhile, for all countries in the European Union except Iceland,Summer Time begins and ends at 1:00 AM Coordinated Universal Time, UTCwhich generally starts on the last Sunday in March, and ends the lastSunday in October. All time zones change at the same moment in the EU.It shall be understood that observance of DST is controversial and everchanging so the. delta of time parameter provided in accordance withthis embodiment of the invention can be flexibly adapted to devices allover the world when it changes and whether or not DST is observed incertain countries or states within particular time zones.

In this embodiment of the invention, various time zones can bepredetermined such that it is known ahead of time whether or not DST isapplicable for that region. For example, a Delta Time parameter may becalculated for a client computer at some future date(s) during DST. Whenthe clock of a client computer registers a time of 8:00 PM PST(Coordinated Universal Time UTC −8) on a selected date during the fallseason, its respective delta of time is changed one hour ahead to 9:00PM PST (UTC −8) on a selected date in the spring season to account forDST when applicable. By collecting and determining times at one or moreselected dates in the future, it is possible to determine whether adevice will or will not go into DST from the beginning rather thanwaiting until later to see whether the registered time is the same ordifferent. This will also assist in identifying the country or regionfor a selected user device. Accordingly, seemingly unrelatedtransactions can be linked at least in part from a distinctive timestampdelta of time (Delta Time) that can be measured from the internal clockor data (TCP, NTP, RTP etc. timestamps within data packets) sent fromthe device. It should be understood that the Delta Time parameter can becalculated according to any selected units of time as with otherembodiments of the invention herein such as days, hours, minutes,seconds, or milliseconds.

FIG. 5A illustrates an implementation of the consortium with a referencetime. Server A may be located at a time zone that is UTC −8, and serverB may be located a time zone that is UTC —5. User device 1 may belocated at a time zone that is UTC −7 and user device 2 may be locatedat a time zone that is UTC −6.

FIG. 5B shows a table with an example of the use of the consortium witha reference time. For instance, user devices 1 and 2 may interact withserver A. In one transaction, server A's local time may be 1/1/08 9:00AM while user device 1's local time may be 1/1/08 10:00 AM. Additionalinformation about the user computer may be stored in any format, whichin some cases may include a hash string. In some embodiments of theinvention, a delta of time may be calculated as the difference betweenthe user device local time and the server local time, which in this casewould yield an initial delta of time value of +1 hours. In anothertransaction, server A's local time may be 1/1/08 9:05 AM while userdevice 2's local time may be 1/1/08 11:05 AM. If calculating thedifference between the user device local time and the server local time,an initial delta of time value may be +2 hours.

However, as previously discussed, when a user device may interact withmultiple servers which may not have the same time, challenges forcalculating the delta of time may arise. For instance, user devices 1and 2 may also interact with server B. In one transaction, server B'slocal time may be 1/1/08 11:00 AM while user device 1's local time maybe 1/1/08 9:00 AM. If calculating a delta of time as the differencebetween the user device local time and the server local time, an initialdelta of time value for user device 1 would be −2 hours. In anothertransaction, server B's local time may be 1/1/08 11:05 AM while userdevice 2's local time may be 1/1/08 10:05 AM. If calculating a delta oftime as the difference between the user device local time and the serverlocal time, an initial delta of time value for user device 2 would be −1hours. This shows a discrepancy may exist in information shared betweenservers A and B, where for servers A and B, user device 1 has an initialdelta of time value of +1 hours and −2 hours respectively, and userdevice 2 has an initial delta of time value of +2 hours and −1 hoursrespectively.

In some embodiments, the relevant time zone information is consideredand accounted for in the delta of time parameter. For example, thedifference between a server time and a consortium time may be used tooffset the initial delta of time value. For example, if the consortiumtime is UTC time, a time difference between server A and UTC may be −8hours, and a time difference between server B and UTC may be −5 hours.The offset may be added to the initial delta of time value, which forboth servers A and B would yield a delta of time parameter of −7 hoursfor user device 1 with respect to the consortium time, and a delta ofparameter of −6 hours for user device 2 with respect to the consortiumtime. Thus, in some embodiments, adding a delta of time between a localserver time and consortium time to a difference between a user devicetime and a local server time may yield a delta of time parameter for auser device with respect to the consortium time.

In a preferable embodiment, clocks of servers A and B may besynchronized to a consortium reference time, such as UTC. During atransaction between server A and user device 1, user device 1's localtime may be 10:00 AM while the consortium time may be 1/1/08 5:00 PM. Adelta of time parameter may be calculated as the difference between userdevice 1's local time and the consortium time to yield a delta of timeof −7 hours for user device 1. During another transaction between serverA and user device 2, user device 2's local time may be 11:05 AM whilethe consortium time may be 1/1/08 5:05 PM. A delta of time parameter maybe calculated as the difference between user device 2's local time andthe consortium time to yield a delta of time of −6 hours for user device2.

Similarly, during a transaction between server B and user device 1, userdevice 1's local time may be 1/1/08 9:00 AM while the consortium timemay be 1/1/08 4:00 PM. A delta of time parameter may be calculated asthe difference between user device 1's local time and the consortiumtime to yield a delta of time of −7 hours for user device 1. Duringanother transaction between server B and user device 2, user device 2'slocal time may be 1/1/08 10:05 AM while the consortium time may be1/1/08 4:05 PM. A delta of time parameter may be calculated as thedifference between user device 2's local time and the consortium time toyield a delta of time of −6 hours for user device 2. The delta of timeparameters of user devices 1 and 2 may be consistent between servers Aand B because servers A and B are synchronized to a consortium time.

FIG. 6A illustrates an additional implementation of the consortium witha reference time. Server A may be located at a time zone that is UTC −7,and server B may be located a time zone that is at UTC time. User device1 may be located at a time zone that is UTC −5.

FIG. 6B shows a table with an additional example of the use of theconsortium with a reference time. For instance, user device 1 mayinteract with servers A and B. In one transaction, server A's local timemay be 1/1/08 8:00 AM while user device 1's local time may be 1/1/0810:00 AM. In some embodiments of the invention, a delta of time may becalculated as the difference between the user device local time and theserver local time, which in this case would yield an initial delta oftime value of +2 hours. In another transaction, server B's local timemay be 1/1/08 4:00 PM while user device 1's local time may be 1/1/0811:00 AM. If calculating a delta of time as the difference between theuser device local time and the server local time, an initial delta oftime value for user device 1 would be −5 hours. Again, this shows adiscrepancy may exist in the information shared between servers A and B.

In some embodiments, the relevant time zone information is corrected andaccounted for in the delta of time parameter. For example, thedifference between a server time and a consortium time may be used tooffset the initial delta of time value. For example, if the consortiumtime is UTC time, a time difference between server A and UTC may be −7hours, and a time difference between server B and UTC may be 0 hours.The offset may be added to the initial delta of time value, which forboth servers A and B would yield a delta of time parameter of −5 hoursfor user device 1 with respect to the consortium time. Thus, in someembodiments, adding a delta of time between a local server time andconsortium time to a difference between a user device time and a localserver time may yield a delta of time parameter for a user device withrespect to the consortium time.

This principle may apply in any situation where the servers are notsynchronized. For example, server times may be determined by their ownclocks, which may or may not be accurate. Adding a time differencebetween the server time and consortium time to the difference between auser device time and server time may yield a delta of time parameter fora user device with respect to the consortium time, irrespective ofwhether a server clock is accurate or not. However, the time differencebetween the server time and consortium time must be tracked in order tocalculated offsets.

In a preferable embodiment, clocks of servers A and B may besynchronized to a consortium reference time, such as UTC. During atransaction between server A and user device 1, user device 1's localtime may be 1/1/08 10:00 AM while the consortium time may be 1/1/08 3:00PM. A delta of time parameter may be calculated as the differencebetween user device 1's local time and the consortium time to yield adelta of time of −5 hours for user device 1. Similarly, during atransaction between server B and user device 1, user device 1's localtime may be 1/1/08 11:00 AM while the consortium time may be 1/1/08 4:00PM. A delta of time parameter may be calculated as the differencebetween user device 1's local time and the consortium time to yield adelta of time of −5 hours for user device 1. The delta of timeparameters of user device 1 may be consistent between servers A and Bbecause servers A and B are synchronized to a consortium time.

In another embodiment of the invention, a delta of time parameter may becalculated between the user device local time and an authenticationrepository time. For instance, the delta of time parameter may becalculated as user device 1's time minus repository time X. Repositorytime X may be the consortium reference time, which in someimplementations may be UTC time. However, regardless of what the actualvalue of X is, during a first transaction between server A and userdevice 1, user device 1's local time may be 1/1/08 10:00 AM whilerepository time may be X. A delta of time parameter may be calculated as1/1/08 10:00 AM−X hours for user device 1. Similarly, during a secondtransaction that occurs 1 hours later between server B and user device1, user device 1's local time may be 1/1/08 11:00 AM while therepository time may be X+1:00 hour. A delta of time parameter may becalculated as 1/1/08 11:00 AM−(X+1 hour)=1/1/08 10:00 AM −X hours foruser device 1. The delta of time parameters of user device 1 may beconsistent between servers A and B when the delta of time is takenbetween the user device and authentication repository.

As discussed previously, a consortium time may be any reference time,which in some cases may be the UTC time. Also, any other reference timemay be used, including an arbitrary time, or an authenticationrepository clock time, which may be the local time according to anauthentication repository clock or which may be synchronized to anothertime, such as UTC time.

Another aspect of the invention provided herein extends to detecting andpreventing fraudulent transaction based on information obtained through“scams” or deceptive practices developed to gain personal, confidentialand/or financial information. For example, a common technique todayknown as “phishing” involves gaining personal information from anindividual to commit identify theft by typically using fraudulent e-mailmessages that appear to come from legitimate businesses. “Phishing” canbe defined as the act of sending an e-mail to a user falsely claiming tobe an established legitimate enterprise in an attempt to scam the userinto surrendering private information that will be used for identitytheft. The e-mail often directs the user to visit a website where theyare asked to provide or update personal information, such as passwordsand credit card, social security, and bank account numbers, that thelegitimate organization already has. But the website to which the useris directed is phony and established to steal the user informationduring a fake session. For example, a widely recognized website, e.g.,eBay, can be targeted in a phishing scam whereby users received e-mailssupposedly claiming that the user account is about to be suspendedunless they clicked-on a provided link and updated the credit cardinformation that the genuine website already had. Because it isrelatively simple to make a website look like a legitimate organizationssite by mimicking the HTML code, people can be tricked into thinkingthey were actually being contacted by the website and will subsequentlygo to the fraudulent site to update or provide their accountinformation. Moreover, by spamming large groups of people (or spIMmingthem which spam sent over Instant Messaging (IM) applications that caninclude links to fake sites), the “phisher” could rely on a responsefrom at least some percentage of people who actually had listed creditcard numbers with the website legitimately. The concept of phishing ingeneral can also referred to as brand spoofing or carding, a variationon the idea whereby bait is set with the hope that some will bitedespite most individuals knowing better. By way of these seeminglylegitimate e-mails, criminals “go fishing” for information which is inturn later used to gain access to a real account. Such informationincludes commonly stolen items in identify theft including a personalidentification number (PIN), user account name, a credit card number,and an account number. Regardless of how this information is obtained,the fraud detection and prevention systems provided herein incorporateunique fraud parameters such as delta of time and clock differentialparameters to “phish”-out fraudsters from legitimate users.

The criminal act that is often committed after information is “phished”can be ultimately referred to as “account takeover.” These scams arecommonly committed by e-mail to users at least partially becausemillions can be rapidly and efficiently sent to random or selectedindividuals, but other techniques can involve transmission of a virusthrough attachments to e-mails. In particular, some viruses can becreated to replace the universal resource locator (URL) of a merchant,financial institution or other party commonly stored in a web browser“Favorites” folder. Instead of being routed to an intended legitimatewebsite, the user is sent to a fake or spoofed site where userinformation is shared unknowingly with a fraudster. Similar in nature toe-mail phishing, another Internet scam referred to as “pharming” seeksto obtain personal or private (usually financial related) informationthrough domain spoofing. Rather than being spammed with malicious andmischievous e-mail requests for you to visit spoof websites which appearlegitimate, pharming can “poison” a DNS server by infusing into it falseinformation resulting in a user request being redirected elsewhere. Abrowser however will indicate the correct website location, which canmake pharming a bit more serious and more difficult to detect. Adistinction however is that generally phishing attempts to scam peopleone at a time with an e-mail while pharming allows the scammers totarget large groups of people at one time through domain spoofing.Meanwhile, “spoofing” basically includes a variety of ways in whichhardware and software can be fooled into operating as if there was alegitimate transaction or exchange taking place. “IP spoofing” moreparticularly involves trickery that makes a message appear as if it camefrom an authorized IP address, e.g., e-mails spoofing. As a result,access can be gained to computers through IP spoofing when an intrudersends messages to a computer with an IP address indicating that themessage is coming from a trusted host. To engage in IP spoofing, ahacker must first use a variety of techniques to find an IP address of atrusted host and then modify the packet headers so that it appears thatthe packets are coming from that host.

Malicious software (aka malware) can be also involuntarily downloaded toa computer and designed specifically to damage or disrupt a system bymeans of a virus or a Trojan horse. A “Trojan horse” is a program thatmasquerades as a benign application and unlike many viruses, they do notreplicate themselves but can be just as destructive. One of the mostinsidious types of Trojan horse is a program that claims to rid yourcomputer of viruses but instead introduces viruses onto a computer. Theconcepts relating to fraud detection and prevention can be applied alsoto other traditional methods of stealing personal information alsoinclude e-mail or other means that involve a fake premise or story suchas seeking help fleeing from a third world country (e.g., Nigerian scam)or conducting some type of customer service call or transaction (e.g.,“Hello, I am from your bank . . . ”).

The fundamental problem of user authentication is exploited time andtime again in order to commit fraudulent transaction online. Bothfinancial institutions and merchants face a shared problem and ultimatechallenge in properly authenticating who is really on the opposite endof a transaction. Information such as account user names and passwordsare useless and rendered ineffective as reliable credentials in light ofphishing and other Internet fraud scams. Authentication can be attemptedby obtaining various types of information broadly ranging from any orall of the following: something you have; something you know; and/orsomething you are (biometrics). These include information obtained fromtokens (hard, soft, dynamic), shared secret or things not commonly knownsuch as a mother's maiden, a pet's name or a favorite color. An evolvingsystem of security certificates (encryption with public keyinfrastructure (PKI), secure sockets layer (SSL)) may be relied uponalso to verify and authenticate the validity of a party involved in anInternet transaction. Third party bureaus are also relied upon toprovide information that can be used to authenticate an individual suchas D&B reports, credit histories from Equifax and other agencies, andalso Caller ID to identify the number associated with a person. At thesame time, a user may attempt to authenticate a merchant, bank or otherparty at the other end of an online transaction also. Various tool barsmay be employed to allow users to verify a website, an IP address orsome other indication that a user is indeed in contact with a merchant,bank or other desired party in a transaction.

The information and actions by a party attempting to prevent or detectfraud is often met with an equally effective and opposite countermeasureby learned fraudsters. When banks or merchants create user names andpasswords, they can be rendered ineffective by numerous scams and waysof obtaining user information such as phishing and key-loggers.“Key-loggers” are a type of surveillance software such as spyware thathas the capability to record keystrokes to a log file (usuallyencrypted) made from instant messages, e-mail and any information(including e-mail addresses and website URLs visited) typed using akeyboard which can be later sent to a specified receiver. Key-loggers,as a surveillance tool, are often used by employers to ensure employeesuse work computers for business purposes only. Unfortunately,key-loggers can also be embedded in spyware allowing your information tobe transmitted to an unknown third party.) Similarly, cookies that areoften created to contain selected information used for identificationcan be simply deleted, and IP addresses that are associated with fraudcan simply hide behind proxies.

Furthermore, when tokens are frequently used as a security measure togain access to user information, the entire session or exchange can bemerely cloned. The term “session cloning” may be defined as the abilityof a third party to duplicate the session ID of a user and use it tointeract with the web-based application at the same time as the originaluser. Session cloning is generally more of a threat when session IDs arepredictable or obtainable, or if the site allows IP hopping. IP hoppingis permitting the user to change their IP address mid-session withouthaving to re-authenticate to the website. To minimize fraud and preventIP hopping, one alternative is to track the domain of the source address(remembering domains can have more than two components) and requirere-authentication if the domain changes. This does not prevent IPhopping within the same ISP but does limit the exposure. Another optionto minimize risk is to consider using an inactivity timeout orterminating a session after a certain period of inactivity in order toprotect people who leave their accounts signed-on and their systemsunattended. Regardless of these preventative measures taken againstsession cloning, the risk of fraud remains which provides an opportunityfor the invention herein to detect and prevent such activity when anattempt is made to use information from a computer.

Additionally, systems and methods described herein may be used toestablish device and/or user reputation. A trust or reputation score orrating may be generated. In some instances, reputation scores may bebuilt or evolve over time. Low reputation scores may be indicators ofincreased fraud threat, such as those described herein. High reputationscores may be indicators of decreased fraud threat. In some instances,“denial of service” (DDOS) attacks, such as distributed denial ofservice attacks, may occur in an attempt to make a machine or networkresource unavailable to its intended users. Perpetrators may targetsites or services, and saturate the target machine(s) with externalcommunication requests, such that it cannot respond to legitimatetraffic, or responds so slowly as to be rendered essentiallyunavailable, which can lead to server overload. The DDOS attack canforce the targeted device(s) to reset, or consume their resources sothat it can no longer provide its intended service or obstruct thecommunication media between the intended users and the victim.Establishing a trust or reputation score can assist with preventing orreducing the effectiveness of DDOS attacks. In some instances, deviceswith low reputations can be ignored by the servers or other devices. Insome instances, during an attack, all devices may be ignored, exceptthose that have a high reputation or trust, which may be permitted topass through to access the servers or other devices. Thus, devices withhigh reputations may be provided access in situations where otherdevices are denied access.

It shall be understood that the description of fraudulent schemesprovided herein is not exhaustive and that additional techniques will bedeveloped in the future to improperly gain access to user information.Regardless of the means and methods used to obtain such information, theconcepts of the invention can be applied to detect and prevent fraud byuniquely linking or fingerprinting such criminal activity with devicesbased upon selected delta of time parameters, clock differentials andtime based parameters provided elsewhere herein. The sharing ofinformation across one or more consortia may allow fraud detectionsystems to benefit from a larger pool of information, and thereby bemore likely to detect and prevent fraud. These solutions can beimplemented with no behavioral modification and have a zero impositionon a user as new ways are constantly developed to break past securitybarriers. The onus is not placed on the consumer to prevent attacks, noris the consumer asked to change certain behavior to combat phishing orany other criminal behavior or scheme developed in the future.

An aspect of the invention may be directed to identifying a device inorder to provide a device with access to a system or enable a device toperform an action with a system. For example, a device may be attemptingto engage in an online transaction. In some instances, the device mayperform an online transaction with an entity via the entity's system ora third party system. In some instances, the device may be permitted toaccess the system (e.g., access information on the system) or perform anaction (e.g., online transaction), once the device has been verified.

In some instances, the device may be verified or information about thedevice may be accessed by the entity or the third party system. In someexamples, the third party system may be a bank (e.g., acquiring bank,issuing bank) or global financial service (e.g., credit card company,debit card company, prepaid card company, gift card company, bank). Insome instances, the third party system may be verifying or confirming atransaction between the device and the entity. For example, if theentity is a merchant, a user may participate in a financial transactionwith the merchant. The merchant, or a financial institution involved inverifying the payment on behalf of the merchant, may be able to useinformation identifying the device to access records associated with thedevice. Such records may assist in determining whether to confirm ordeny the transaction. The records may include reputation informationabout the device, which may be used for confirming or denying thetransaction.

In some embodiments, a registry may be provided wherein the device maybe registered. In some instances, the device may be pre-registered viaan action by a user of the device. For example, a consumer for an onlinemerchant or other entity may register the device with the registry. Suchregistration may occur by the user manually entering information aboutthe device and/or user, or by automatically collecting information aboutthe device and/or user, or any combination thereof. For example, theuser may select an option to register the device, and the device'sfingerprint may be collected. Information used to identify and/orregister the device may include any information discussed elsewhereherein, including but not limited to IP addresses, delta of timeparameters, or any other information. Specific characteristics of thedevice may be collected alone or in combination. A registry may have adevice identifier for the registered device which may be derived frominformation about the device, such as a non-personal parameter and adelta of time parameter. Optionally, such information may be extractedfrom the device in a tagless manner. Such information may be pulledwithout requiring further intervention from the user. Alternatively, theuser may provide additional information that may assist with theregistration process. The user may provide information that may connectthe user personal information with the user device information.

A user may be presented with a graphical user interface for registeringthe device. In some embodiments, the graphical user interface may bedisplayed on the device to be registered. Alternatively, the graphicaluser interface may be displayed on a separate device from the device tobe registered. The graphical user interface may prompt a user to provideinformation about the user and/or the user device. In some embodiments,information about the device may be collected for registering the devicewithout requiring any entry of information through the graphical userinterface. The user may be authenticated (e.g., enter a password) priorto registering a device. The registered device may be associated in theregistry with user information.

In some embodiments, a device may only be permitted to access a systemand/or interact with the system if the device has been registered in theregistry. Information about the device may be collected and compared toinformation in the registry to determine if the device has already beenregistered. For example, a device fingerprint may be pulled when thedevice is attempting to access a system and/or perform an action. Thedevice fingerprint may be compared to one or more device fingerprintstored in the registry. One or more characteristic of the device (e.g.,IP address, delta of time), alone or in aggregate may be compared withone or more characteristic of the device stored in the registry. It maybe determined whether a device identifier for the current device matchesa device identifier stored in the registry. Strict or loose tolerancesfor matching may be provided. In one example, a matching parameter maybe generated between the device information stored in the registry andthat is currently being used. If fewer differences are provided betweenthe current device and a registered device, the matching parameter mayhave a lower value, or a higher value. If the matching parameter fallswithin an expected range (e.g., indicating a high likelihood of amatch), the current device may be identified as the registered device.In some embodiments, the match of the characteristics of the devicesmust be exact in order to identify a current device as a registereddevice. In other embodiments, some parameters may change slightly andstill permit a current a device to be identified as a registered device.Once there is confirmation that the current device is on the registry,the device may be permitted to access the system and/or perform anaction on the system.

The registry may serve as a gatekeeper to determine whether a device maybe able to access the system and/or perform an action. For example, if adevice has not been registered, the device may be prevented fromaccessing the system and/or performing an action on the system. In someinstances, the devices may be capable of performing certain actions onthe system without being on the registry, but may require registrationfor performing other specific actions (e.g., transactions involving theexchange of funds, goods, and/or services, or accessing sensitiveinformation).

In some embodiments, a device may be flagged as engaging in fraudulentor suspicious behavior. Such information may be tracked by the registry.In some instances, access may be denied or restricted for such flaggeddevices. For example devices with known fraudulent transactions may beprevented from making online transactions. Devices that have beenengaging in suspicious activity may be prevented from making onlinetransactions. In some embodiments, information about suspicious activitymay be accumulated over time. Such information may be provided to theregistry and/or stored at the registry. In some embodiments, a thresholdof suspicious activity may be surpassed before putting a registereddevice on a blacklist where the device can not be used to performcertain online transactions. A registry may track and/or monitor whichdevices have permission to access and/or perform actions within a system(which may encompass a single entity or multiple entities), and which donot.

The registry may link user information with device information. Forexample, users may register specific devices. The users may specify thatonly registered devices may be used to access the system and/or performan action. In one instances, only registered devices may be used foronline transactions that involve the user. If someone who claims to bethe same user tries to access the system using a different device, thesystem may deny access. This may provide an additional level ofsecurity. The user may add or remove devices from the registry. The usermay be authenticated prior to adding or removing devices from theregistry. Different levels of access and/or actions may be permitteddepending on device identity. For example, the user may specify that afirst device may be able to perform all types of online transactionswhile a second device may be used for only particular types oftransactions.

In some embodiments, a registry may be specific to a merchant, onlineorganization, or other entity. For example, each entity may have its ownregistry where the user may register one or more devices. The rules ofwhether a device can be used for various levels of access and/or actionmay be specific to the entity. For example, a user may have an accountat a first website, and may register a first device and a second device.The user may have an account at a second website and may register thesecond account only. The registries may or may not share information.Sharing information may occur via a consortium, such as those describedelsewhere herein. For example, if a device is found to be fraudulentbased on a transaction with a first entity, such information may beshared among the various entities of the consortium, and registries maybe updated accordingly. For example, if a fraudulent transaction occurswith a first entity, the registry of a second entity may be flagged forthe same device, and that device may be denied access or may not bepermitted to perform an online transaction at the second entity. Deviceidentification in order to determine if the device is already registeredmay occur in accordance with embodiments described elsewhere herein. Forexample, a device fingerprint may be taken. One or more characteristicof the device, such as IP address and/or delta of time parameter may beused to determine whether a device is one of the devices that the userhas registered.

In some embodiments, a registry may be shared across a consortium. Auser may specify devices that are to be registered with the registry andpermitted to access and/or perform certain actions on behalf of theuser. This may be applied universally to all of the entities within theconsortium. For example, the user may access a first website and asecond website. The user may specify a first device and second devicethat has been registered with the consortium registry. Thus, the firstand second devices may be used to perform an online transaction on thefirst and second websites on behalf of the user. A user may be able toadd or remove a device from a registry, and such addition or removal ofthe device may be applied to all entities across the consortium. Deviceidentification in order to determine if the device is already registeredmay occur in accordance with embodiments described elsewhere herein. Forexample, a device fingerprint may be taken. One or more characteristicof the device, such as IP address and/or delta of time parameter may beused to determine whether a device is one of the devices that the userhas registered with the consortium registry.

The registry may be stored in any memory described herein. The registrymay be distributed over a single or multiple databases. In someinstances, the registry may be provided in a distributed manner on acloud computing infrastructure. The registry may be provided with anauthentication repository or separately from the authenticationrepository. The registry may also operate in a peer to peer manner.

The systems and methods described herein may utilize or be combined withaspects, components, characteristics, steps, or features of one or moreof the following: U.S. Pat. No. 7,853,533 issued Dec. 14, 2010; U.S.Patent Publication No. 2009/0083184 published Mar. 26, 2009; U.S. patentapplication Ser. No. 12/732,034 filed Mar. 25, 2010 entitled SYSTEMS ANDMETHODS OF SHARING INFORMATION THROUGH A TAG-BASED CONSORTIUM [AttorneyDocket No. 31718-712.201]; and PCT Patent Application No.PCT/US2013/053495 filed Aug. 2, 2013 entitled SYSTEMS AND METHODS FORACCESSING RECORDS VIA DERIVATIVE LOCATORS [Attorney Docket No.31718-718.601], which are hereby incorporated by reference in theirentirety.

It should be understood from the foregoing that, while particularimplementations have been illustrated and described, variousmodifications can be made thereto and are contemplated herein. It isalso not intended that the invention be limited by the specific examplesprovided within the specification. While the invention has beendescribed with reference to the aforementioned specification, thedescriptions and illustrations of the preferable embodiments herein arenot meant to be construed in a limiting sense. Furthermore, it shall beunderstood that all aspects of the invention are not limited to thespecific depictions, configurations or relative proportions set forthherein which depend upon a variety of conditions and variables. Variousmodifications in form and detail of the embodiments of the inventionwill be apparent to a person skilled in the art. It is thereforecontemplated that the invention shall also cover any such modifications,variations and equivalents.

1.-21. (canceled)
 22. A computer-implemented method comprising: by acomputer processor of an authentication server: receiving a first deviceidentifier associated with a first device during an online transaction;comparing the first device identifier to a second device identifier toformulate a device similarity score; determining that the second deviceidentifier evolved from the first device identifier based at least inpart on the device similarity score and an indication that one or moreparameters associated with the second device identifier have changed;retrieving a trust score associated with the second device identifier,the trust score indicating a likelihood of a device associated with thesecond device identifier to engage in a fraudulent activity; and basedat least in part on a determination that the trust score associated withthe second device identifier is below a predetermined threshold,flagging the online transaction associated with the first deviceidentifier as potentially fraudulent.
 23. The computer-implementedmethod of claim 22, wherein the device similarity score indicates alikelihood that the first device identifier and the second deviceidentifier belong to the first device.
 24. The computer-implementedmethod of claim 22, wherein the device similarity score is determinedbased at least in part on numerical or value differences between one ormore parameters associated with the first device identifier and thesecond device identifier.
 25. The computer-implemented method of claim22, wherein the device similarity score is determined based at least inpart on similarity thresholds for each of parameters associated with thefirst device identifier and the second device identifier.
 26. Thecomputer-implemented method of claim 25, wherein the similaritythresholds are determined based at least in part on expected rate ofchange for each of the parameters associated with the first deviceidentifier and the second device identifier.
 27. Thecomputer-implemented method of claim 22, wherein the second deviceidentifier is associated with one or more known online fraudulenttransaction.
 28. The computer-implemented method of claim 22, whereinthe first device identifier is associated with an anchor valuecomprising personal information of a user of the first device.
 29. Thecomputer-implemented method of claim 28, wherein the anchor is selectedfrom one or more of the following: email address, credit card number,name, social security number, phone number, IP address, class C address,user ID, ABA routing number, or account number.
 30. Thecomputer-implemented method of claim 22 further comprising: based atleast in part on a determination that the trust score associated withthe second device identifier is below the predetermined threshold,denying the online transaction.
 31. The computer-implemented method ofclaim 22 further comprising: based at least in part on a determinationthat the trust score associated with the second device identifier isbelow the predetermined threshold, requesting additional authenticationinformation from the first device.
 32. The computer-implemented methodof claim 22 further comprising: based at least in part on thedetermination that the second device identifier evolved from the firstdevice identifier: accessing a global identifier associated with thefirst device identifier and the online transaction; and associating thesecond device identifier with the global identifier, wherein the globalidentifier is used to track evolution of device identifiers of the firstdevice over time.
 33. The computer-implemented method of claim 22further comprising: based at least in part on a determination that thetrust score associated with the second device identifier is above thepredetermined threshold: retrieving a trust score associated with thefirst device identifier; and increasing the trust score associated withthe first device identifier.
 34. The computer-implemented method ofclaim 22, wherein the comparison between the first device identifier andthe second device identifier comprises: comparing the second deviceidentifier and a plurality of the previous device identifiers associatedwith the first device identifier.
 35. The computer-implemented method ofclaim 22 further comprising: based at least in part on the determinationthat the second device identifier evolved from the first deviceidentifier, associating the trust score associated with the seconddevice identifier with the first device identifier.
 36. A systemcomprising: a processor; a memory storing computer-executableinstruction that, when executed, cause the processor to at least:receiving a first device identifier associated with a first deviceduring an online transaction; comparing the first device identifier to asecond device identifier to formulate a device similarity score;determining that the second device identifier evolved from the firstdevice identifier based at least in part on the device similarity scoreand an indication that one or more parameters associated with the seconddevice identifier have changed; retrieving a trust score associated withthe second device identifier, the trust score indicating a likelihood ofa device associated with the second device identifier to engage in afraudulent activity; and based at least in part on a determination thatthe trust score associated with the second device identifier is below apredetermined threshold, flagging the online transaction associated withthe first device identifier as potentially fraudulent.
 37. The system ofclaim 36, wherein the computer-executable instructions further cause theprocessor to: based at least in part on a determination that the trustscore associated with the second device identifier is below thepredetermined threshold, requesting additional authenticationinformation from the first device.
 38. The system of claim 36, whereinthe computer-executable instructions further cause the processor to:based at least in part on the determination that the second deviceidentifier evolved from the first device identifier: accessing a globalidentifier associated with the first device identifier and the onlinetransaction; and associating the second device identifier with theglobal identifier, wherein the global identifier is used to trackevolution of device identifiers of the first device over time.
 39. Anon-transitory computer storage medium storing thereincomputer-executable instructions that, when executed, cause a processorof a computer system to: receive a first device identifier associatedwith a first device during an online transaction; compare the firstdevice identifier to a second device identifier to formulate a devicesimilarity score; determine that the second device identifier evolvedfrom the first device identifier based at least in part on the devicesimilarity score and an indication that one or more parametersassociated with the second device identifier have changed; retrieve atrust score associated with the second device identifier, the trustscore indicating a likelihood of a device associated with the seconddevice identifier to engage in a fraudulent activity; and based at leastin part on a determination that the trust score associated with thesecond device identifier is below a predetermined threshold, flag theonline transaction associated with the first device identifier aspotentially fraudulent.
 40. The non-transitory computer storage mediumof claim 39, wherein the computer-executable instructions further causethe computer system to: based at least in part on a determination thatthe trust score associated with the second device identifier is belowthe predetermined threshold, request additional authenticationinformation from the first device.
 41. The non-transitory computerstorage medium of claim 39, wherein the computer-executable instructionsfurther cause the computer system to: based at least in part on thedetermination that the second device identifier evolved from the firstdevice identifier: access a global identifier associated with the firstdevice identifier and the online transaction; and associate the seconddevice identifier with the global identifier, wherein the globalidentifier is used to track evolution of device identifiers of the firstdevice over time.